Heartbleed Status

Some of you may have noticed that the site has been down for the better part of the past hour or so. That's because I've been hard at work fixing the Heartbleed bug everyone's been talking about the past few days. Here's an update on our Heartbleed status.

On Tuesday, April 8th I was alerted to the existence of the Heartbleed bug. At that point I tested the Write.app server manually and via the really handy Heartbleed checker. At that time the site was vulnerable.

Rather than take the site down immediately I searched for solutions to the bug. When they were available I began implementing them on a development server. When all tests passed I began implementing them on the production site.

At about 5:15pm CST the site went down. I upgraded OpenSSL to the latest patched version, generated new SSL keys, and requested that the site's SSL certificates be reissued. When I received the certificate files I accidentally mismanaged some server settings and the site went down for about an hour. The site was only supposed to be down for about 3 minutes so this was unexpected and I apologize.

Because the Heartbleed attack is transparent there's no way of knowing if the site has been compromised. There's no reason to believe we were but for the sake of security I'll be sending notices to the entire userbase of Write.app asking everyone to change their passwords immediately.

Again, there is no reason to believe this site has been compromised. It is standard protocol in a situation like this to ask all users to secure their accounts.

You can see Write.app's Heartbleed test results here.

More notes