Has GAE ever used OpenSSL for its frontend servers? It’s quite interesting in the context of the Heartbleed security hole. It would be nice to get a confirmation from Google that no risks are present.
Asked
Active
Viewed 235 times
1
-
3If you want confirmation from google, then you might want to actually ask google... – MichelZ Apr 09 '14 at 15:26
-
It appears that they don't have a public announcement on this. Your only option is to ask them, but you should assume that they were for operating procedures. – Jacob Apr 09 '14 at 18:24
-
Correct. An update from Google: http://googleonlinesecurity.blogspot.ca/2014/04/google-services-updated-to-address.html – user3515350 Apr 09 '14 at 21:57
-
The eight hours has passed; feel free to post a full answer. – Michael Hampton Apr 15 '14 at 00:21
1 Answers
1
As already mentioned in the comment according to the Google Online Security Blog App Engine was affected.
A patch has been written and I assume applied to the Google services on March 21st, long before the vulnerability became public.
Assuming nobody knew about this bug before March 21st no further steps are necessary. Since you can't be entirely sure the best way to ensure a secure service is to follow this checklist.
- Re-issue new SSL certificates for your domains (find a guide here)
- Change your passwords and revoke existing sessions
- Revoke and recreate access tokens
There is more good news. App Engine supports Forward Secrecy. This feature mitigates attacks by making it impossible to use a stolen encryption key to read old encrypted communication.
Nik Graf
- 111
- 4