This past Monday, April 7th, the OpenSSL Project released an update to address a serious security issue – CVE-2014-0160 – nicknamed “Heartbleed“. Any server or client application that depends on impacted versions of OpenSSL is vulnerable to a leak of encrypted secrets to a remote attacker.
Trillian Cloud Infrastructure.
As of Tuesday, April 8th at 23:00 UTC, all of Trillian’s infrastructure has been updated and is no longer vulnerable. This includes our general-purpose web servers, the servers used to facilitate our web and mobile clients, and the IMPP servers that power our actual IM network. Because this attack could have exposed our TLS certificate, we’ve also generated a new private key and obtained a new certificate as a precaution.
Trillian for Windows versions 5.3.x.x to 220.127.116.11 are vulnerable to heartbleed. Although exploiting a client is a few orders of magnitude more difficult than exploiting a server, exploitation is still technically possible and we urge everyone to upgrade their clients as well. A new version, 18.104.22.168, is now available via auto-update and direct download. Other versions of Trillian, including Trillian for Mac, are not impacted by this vulnerability.
In-House Trillian Servers.
All versions of in-house Trillian Servers are vulnerable to heartbleed. An updated version, 22.214.171.124, has been released and all in-house customers will be sent additional information directly via email shortly. If you’re not sure if your company has updated its server and need assistance or clarification, please get in touch.
Because the surface area of this vulnerability is so large and impacts thousands of different companies, we recommend that all Trillian users change their passwords as a precautionary measure. The recommended way to change your password is from within Trillian itself, in preferences. This is also a good opportunity to review your overall password strategy: make sure you don’t share passwords between sites and that your passwords are as strong as possible!