Securing PythonAnywhere from the Heartbleed bug


The short version

The Heartbleed bug impacted PythonAnywhere (along with pretty much every Linux-based web service out there). We don’t believe there’s any risk that customer data has been leaked as a result of this problem, with the single exception of private keys for HTTPS certificates for custom domains – that is, for websites hosted with us that don’t end with .pythonanywhere.com. We don’t have any reason to believe that those private keys were leaked either – they’re just the only data that we think could possibly have been leaked by it.

[UPDATE: Robert Graham at Errata Security points out that Heartbleed could also potentially have been used to harvest session cookies, usernames and passwords from users of affected sites. He’s right, though it would be hard to do, and unlikely that someone would have targeted us for that. But just to be sure, we recommend you change your PythonAnywhere password, log out, then log back in again, and get users of your website to do likewise. Just to be clear on this: we don’t think this has been used against us, and have no indication that it has. But it’s better to be safe than sorry.]

The details

As you may have read, a bug in OpenSSL was announced last night that could potentially have been used to extract data from webservers, for example the private keys used to encrypt websites’ SSL certificates. It exploits the SSL heartbeat extension, and has been nicknamed “Heartbleed”. There’s more information in this TechCrunch article.

All servers running recent versions of Linux were affected – a very large percentage of the Internet – and PythonAnywhere’s were among them. All of our servers have been patched since early this morning, so the attack is now not possible against us. The only risk is that data might have been leaked before then.

We do not believe at this time that there’s any risk that any data apart from SSL certificates’ private keys could have been leaked. So for most PythonAnywhere users, everything should be fine. (Our own key for our own certificate for www.pythonanywhere.com might have been leaked, but we’ve changed it and are working on revoking the old certificate.)

For those customers who host websites on custom domains with PythonAnywhere (that is, domains that don’t end with .pythonanywhere.com), there is a possibility that hackers who knew about this bug before this morning could have used it to extract their private keys. We have notified all such customers by email with details on what to do next; if you do have a custom domain with your own certificate and haven’t received an email from us, drop us a line and we’ll let you know what to do next.

If you have any questions, just let us know.

What we did

Due to some heroic work on the part of the Ubuntu team, patched versions of the affected libraries were ready by the time we started working on this. So patching all of our servers was just a few commands on each server that did HTTPS:

apt-get update
apt-get install openssl libssl-dev libssl1.0.0

And then a service tornado restart or service nginx restart, depending on what the HTTPS service was on the server.

We used @titanous’s Heartbleeder command-line tool and Filippo Valsorda’s Heartbleed test page both before and after the fix to make sure we really had fixed the problem.

We’re confident that the patches we’ve applied are enough to fix the bug, at least as it’s currently understood.

comments powered by Disqus