Update: April 10
We are now reissuing all SSL certificates together with our two CA providers – Comodo and GlobalSign, in order to eliminate any risk of private key leakage. Most of our certificates have already been reissued and the whole process is expected to complete within the next 24 hours. The reissuing process is conducted behind the scenes and requires no further action from our clients.
Extensive testing we conducted failed to demonstrate the possibility of private key compromise, except under the most contrived scenarios. However, we concluded that the risk does exist for any certificate deployed on OpenSSL over the past two years, given the fact that the vulnerability has been around since March 2012.
We have further approached our customers using custom SSL certificates about re-issuing their certificates. We believe it is advisable for all other OpenSSL users to do so as well.
On Monday of this week, security researchers released details of a security vulnerability in the OpenSSL protocol. The vulnerability, nicknamed “Heartbleed,” potentially allows an attacker to access information from a client or server’s memory.
Incapsula uses OpenSSL in our cloud-based Application Delivery service. The vulnerability has been fixed in OpenSSL v1.0.1g. Incapsula completed the upgrade to this version at 6:30AM Pacific Time on Tuesday morning, across our entire network. We believe this has resolved the issue for any servers or applications running on the Incapsula service.
We are now conducting tests to assess risk and also working with our providers regarding any further action needed. In the meantime, we strongly advise customers to invalidate persistent cookies, and possibly use Incapsula’s integrated Two Factor Authentication solution to further secure sensitive login and administrative areas.
For existing Incapsula customers with additional technical questions, please contact Incapsula support. Organizations who would like to understand how Incapsula can protect SSL-enabled applications using our Application Delivery service can request a technical meeting by contacting our account team.