The recent news about a bug present in certain versions of the OpenSSL network encryption project has for good reasons caused great concern in the security community. Officially named CVE-2014-0160 but more popularly known as the Heartbleed Bug, it allows an unauthenticated attacker to read portions of server process memory. The ability to read arbitrary memory locations in turn allows an attacker to potentially access data from an encrypted connection once it has been decrypted inside the server process. In addition, an attacker may be able to read the private key for the server’s certificate because the private key is loaded into server memory. Possession of this key can allow decryption of SSL traffic captured by eavesdropping, for example on a WiFi network. This is all really bad news.
The good news for us, and NuevaSync users is that we’re unaffected by this bug. This is because although we do use OpenSSL, we do not use the vulnerable versions of the OpenSSL library (and haven’t in the past either). The absence of the Heartbleed vulnerability in our services has been verified both by an audit of source code and running binaries, and by testing against the various SSL endpoints we expose, just to be extra sure (there have been cases reported where a “non-vulnerable” version of OpenSSL had in fact had the bug “back-ported” into the code, so a version check alone is not sufficient).