Like most service and software providers, we've been working hard at Zetetic to assess the impact for our customers resulting from this week's OpenSSL security disclosure, commonly known as the OpenSSL Heartbleed bug. More specifically referred to as CVE-2014-0160, this issue has undermined the security of many internet platforms by allowing attackers to read arbitrary memory from services using the popular OpenSSL library to provide secure communications over the web. This attack can allow extraction of private keys, session data, and user information from affected websites.
Users of the STRIP Password Manager may recall that the application uses Zetetic's SQLCipher encrypted database library to protect all underlying application data. While SQLCipher does make use of OpenSSL, it only relies on low-level encryption interfaces. Since there is no use of OpenSSL's SSL functions, there is nothing that would expose SQLCipher or STRIP to direct attack via Heartbleed. More details on the use of OpenSSL in SQLCipher are available separately in our Heartbleed Security Statement for SQLCipher.
As a result, we're pleased to report that users who currently rely on STRIP for their data security need not be concerned with Heartbleed exposure on their local computers and devices a result of the software.
It's important to note that STRIP does provide a variety of optional synchronization features that use cloud services like Dropbox and Google Drive. Both of those services used affected versions of OpenSSL in the past, and may have been vulnerable to the Heartbleed bug.
STRIP's synchronization features do keep copies of the encrypted STRIP data on the cloud service. However, STRIP is very careful never to expose any unencrypted data to cloud services during synchronization. All STRIP data stored in Dropbox or Google Drive is fully encrypted using a strong encryption key derived from your master password.
While there haven't been any public reports of attackers using Heartbleed against Google or Dropbox, the nature of the bug make it possible that data on those services could have accessed without knowledge. However, since the database is fully encrypted at rest using STRIP, there is no risk of plaintext data exposure.
Even with STRIP's advanced protections, this is a really good time to review the strength of your master password, because STRIP's security really comes down to the security of your passphrase.
We recommend using an alphanumeric passphrase with a combination of upper case, lowercase, digits, and meta-characters of the maximum length possible to allow for convenient entry.
If you are currently using a weak password, especially in combination with Cloud sync, we'd strongly recommend that you change your STRIP password now to ensure the long term security of your data.
Finally, many internet sites have been affected by the Heartbleed bug, and are issuing statements suggesting that users change their passwords, log out of mobile applications, and reset authentication tokens, etc. Please take these notices seriously and update your credentials for affected systems as soon as possible.
We take security seriously and we are happy to communicate with customers about the details of this issue, or how to take appropriate action, so please don't hesitate to contact us if you have any questions.
blog comments powered by Disqus