RescueTime handling of Heartbleed SSL bug

heartbleedThis week, a security vulnerability known as the Heartbleed bug was discovered to be affecting major websites across the internet. RescueTime’s servers have been updated to address this issue.

All requests to RescueTime use SSL (HTTPS). All requests are terminated by Amazon using their Elastic Load Balancing Service. This service was patched to eliminate the Heartbleed bug on April 8th. This means users are currently protect against leakage resulting from this bug.

Additionally, as of April 9 all RescueTime server systems have been patched for the bug, or have been identified as not vulnerable. This is more a precaution than requirement since users do not directly connect to any RescueTime servers.

RescueTime is in the process of updating all passwords used in the administration of the service as the dependent services themselves are updated to protect against the bug, e.g. when the site service we use announces they are patched, we then update the password.

However, for further guarantee of security RescueTime will also update its server SSL certificates used in HTTPS and other privileged resources over the next week. We will make a second update when that is complete.

What should you do at this point?

It is now safe to change your password on www.rescuetime.com. You may also want to read our list of general steps you can take to browse the web safely while other websites are responding to the Heartbleed vulnerability.