TL;DR

A major security issue has been fixed in one of the cryptographic libraries used by almost all services on the internet. Thanks to the specific security setup, past sessions should still be secure. Our team has responded immediately and issued updates for the software and certificates used. So future communications with MyKolab.com are immune against this particular issue.

But this seems like a good opportunity to ensure you are following all the general recommendations on staying safe, outlined below.

Also, this means we have a new SSL Certificate:

  • Issuer: COMODO CA Limited, PositiveSSL CA 2
  • Valid from: 27.01.2014 01:00:00 (27.01.2014 00:00:00 GMT)
  • Valid until: 31.01.2015 00:59:59 (30.01.2015 23:59:59 GMT)
  • SHA256 Fingerprint=14:10:93:0D:5E:7C:6C:AB:B1:6E:32:7C:5D:38:C0:12:A1:52:0B:7F:3C:32:FD:28:99:D3:F2:AD:0E:93:05:74
  • SHA1 Fingerprint=2F:46:23:A8:55:A7:54:89:C1:C3:0B:D4:8F:13:F5:DE:D0:7C:AA:A4

Background

Last night's release of OpenSSL fixed what's aptly been called the "Heartbleed Bug". This bug is extremely severe and affects everyone making use of OpenSSL. That's the majority of the internet.

Because Kolab Systems provides its Kolab Enterprise customers with a version of OpenSSL that enables stronger cyphers, including those required for Perfect Forward Secrecy (PFS), we have immediately provided an updated package openssl-1.0.1e-21.el6.kolab_13 to all our enterprise customers and strongly recommend immediate updating from our kolab-13-updates repository as per the errata you have been issued this morning.

Customers that have been following our recommended setup and have therefore been using PFS may find some level of reassurance in knowing that PFS should have successfully protected your past communications. From the dedicated Heartbleed Bug information page:

Does Perfect Forward Secrecy (PFS) mitigate this?

Use of Perfect Forward Secrecy (PFS), which is unfortunately rare but powerful, should protect past communications from retrospective decryption. Please see https://twitter.com/ivanristic/status/453280081897467905 how leaked tickets may affect this.

    Given the above, we also recommend our customers to re-issue your certificates to be on the safe side.

    So what does this mean for MyKolab.com?

    MyKolab.com runs Kolab Enterprise 13, and uses the strongest possible encryption setup, including Perfect Forward Secrecy (PFS). We have immediately deployed the update as well as refreshed the certificate and thanks to PFS your past communications should still be protected. Users who would like to be on the safe side as quickly as possible should update their operating systems where affected, terminate all running sessions, and log in again.

    General Recommendations on Staying Safe

    This incident should also serve as a reminder for some good principles in order to stay safe:

    • Keep your systems updated: Security issues are found all the time. So always make sure you keep your systems up to date.
    • Encrypt your devices: Most operating systems and mobile phones offer an option to encrypt the storage. Use it. It's not perfect, but a whole lot better than not doing it.
    • Lock your screens: Whether it is your mobile or desktop, set a sensible password, configure automatic locking, and lock your screen whenever you turn away from the screen.
    • Never re-use passwords: Never use the same password for two different services.
    • Choose good passwords: Choosing passwords is a science in and of itself. This howto has some workable suggestions.
    • Regularly change your passwords: There are many ways passwords are lost or stolen, and the longer a password is being used, the higher the probability. So change your passwords regularly, many users do this once a year.

    So why not start following these principles today, pick a better password, and use the web interface to update your login details to MyKolab.com?