Product

Mailgun and Heartbleed

An overview of the heartbleed security vulnerability in OpenSSL that affected Mailgun in 2014. Read more...

PUBLISHED ON

PUBLISHED ON

This was reported on April 10, 2014.

Heartbleed

Earlier this week, we were alerted to a security vulnerability in OpenSSL [1] [2]. While this vulnerability was not in Mailgun code, Mailgun does use the OpenSSL library to secure HTTPS connections to our servers, so we were susceptible to it as well. In security parlance, Heartbleed was an arbitrary read vulnerability allowing the attacker to read 64kb of memory out of the affected processes memory space. What made this bug particularly treacherous was that it left no trace and allowed the attacker to gain access to private keys effectively defeating the TLS security mechanism.

Mitigation

Once we found out about Heartbleeed we analyzed where our infrastructure was vulnerable and patched the affected servers. The architecture of Mailgun allows us to terminate all SSL/TLS connections when they enter our data center; thus we only had a few servers to patch. This work was completed by Tuesday, April 8th, 2014 at 1:00 PM PDT.

Once the patch was rolled out, we also updated our certificates to ensure that even if our private keys were stolen, they could no longer be used.

If you want to verify yourself, you can build and run a script called Heartbleed or use their web application to check the security of Mailgun or any other site for the Heartbleed vulnerability [3] [4].

Customer Impact

Since this vulnerability leaves no trace and allowed the attacker to arbitrarily read memory of our nginx processes, your API key and SMTP credentials may have been compromised. While the likelihood of such an attack having occurred is low, we recommend all customers regenerate their API key and SMTP credentials (you can do this from the Control Panel) to be on the safe side [5].

If you have any other questions, feel free to drop us an email at support@mailgun.com.

[1] http://heartbleed.com [2] https://news.ycombinator.com/item?id=7548991 [3] https://github.com/FiloSottile/Heartbleed/ [4] http://filippo.io/Heartbleed/ [5] https://mailgun.com/cp

Related readings

Privacy, automatic engagements, and Mailgun’s bot detection

Now more than ever, users are concerned about their data privacy and what steps they can take to protect their personal information. And that’s something big players in the tech...

Read more

Here’s how to track email opens in Gmail with email tracking

Sending email campaigns doesn’t have to feel like you’re throwing darts into a black hole. Email analytics are a great way to determine the health of your ecommerce campaign and...

Read more

Everything you need to know about sending email with APIs

Are you creating an e-commerce web page that needs to send transactional emails to customers? A developer building a web application that needs to send messages to email...

Read more

Popular posts

Mailgun iconSee what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon Mailgun Icon