- What's new
InboxReady x Salesforce: The Key to a Stronger Email Deliverability
Mailgun Team
• 5 min read
- What's new
Mailgun And Heartbleed
Mailgun Team
• 5 min read
This was reported on April 10, 2014.
Heartbleed
Earlier this week, we were alerted to a security vulnerability in OpenSSL [1] [2]. While this vulnerability was not in Mailgun code, Mailgun does use the OpenSSL library to secure HTTPS connections to our servers, so we were susceptible to it as well. In security parlance, Heartbleed was an arbitrary read vulnerability allowing the attacker to read 64kb of memory out of the affected processes memory space. What made this bug particularly treacherous was that it left no trace and allowed the attacker to gain access to private keys effectively defeating the TLS security mechanism.
Mitigation
Once we found out about Heartbleeed we analyzed where our infrastructure was vulnerable and patched the affected servers. The architecture of Mailgun allows us to terminate all SSL/TLS connections when they enter our data center; thus we only had a few servers to patch. This work was completed by Tuesday, April 8th, 2014 at 1:00 PM PDT.
Once the patch was rolled out, we also updated our certificates to ensure that even if our private keys were stolen, they could no longer be used.
If you want to verify yourself, you can build and run a script called Heartbleed or use their web application to check the security of Mailgun or any other site for the Heartbleed vulnerability [3] [4].
Customer Impact
Since this vulnerability leaves no trace and allowed the attacker to arbitrarily read memory of our nginx processes, your API key and SMTP credentials may have been compromised. While the likelihood of such an attack having occurred is low, we recommend all customers regenerate their API key and SMTP credentials (you can do this from the Control Panel) to be on the safe side [5].
If you have any other questions, feel free to drop us an email at support@mailgun.com.
[1] http://heartbleed.com [2] https://news.ycombinator.com/item?id=7548991 [3] https://github.com/FiloSottile/Heartbleed/ [4] http://filippo.io/Heartbleed/ [5] https://mailgun.com/cp
Last updated on August 27, 2019
- Related posts
- Recent posts
- Top posts
- Security
Email Security Best Practices: How To Keep Your Email Program Safe
Phil Adams• 13 min read- Best Practices
How To Improve Your Email Deliverability In 2022
Mary Dolan• 10 min read- Security
Mailgun’s Active Defense Against Log4j
Adam Cole• 5 min read- What's new
Mailgun Joins Sinch: The Future of Customer Communications Is Here
Mailgun Team• 4 min read- Security
Vulnerability Management: Working With the Community To Patch Security Threats
Jesse Kinser• 7 min read- What's new
Mailpets: For The Love Of Animals
Natalie Hays• 3 min read- Security
A Word of Caution For Laravel Developers
Nick Schafer• 4 min read- Security
Privacy Matters: Your Data Is Safe With Us
Darine Fayed• 5 min read- Security
TLS Version 1.0 and 1.1 Deprecation
Chris Farmer• 6 min read
- What's new
InboxReady x Salesforce: The Key to a Stronger Email Deliverability
Mailgun Team• 5 min read- Email DIY
Become an Email Pro With Our Templates API
Sergey Chekluev• 8 min read- Best Practices
Google Postmaster Tools: Understanding Sender Reputation
Cameron Henry• 8 min read- Quick tips
Navigating Your Career as a Woman in Tech
Celeste Rance• 13 min read- Guides
Implementing Dmarc – A Step-by-Step Guide
Phil Adams• 11 min read- Best Practices
Email Bounces: What To Do About Them
Mailgun Team• 7 min read- What's new
Announcing InboxReady: The deliverability suite you need to hit the inbox
Mailgun Team• 5 min read- Events
Black History Month in Tech: 7 Visionaries Who Shaped The Future
Ron Davis• 13 min read- Best Practices
How To Create a Successful Triggered Email Program
Beatriz Redondo Tejedor• 11 min read- For devs
Designing HTML Email Templates For Transactional Emails
Mailgun Team• 4 min read
- What's new
InboxReady x Salesforce: The Key to a Stronger Email Deliverability
Mailgun Team• 5 min read- Guides
Implementing Dmarc – A Step-by-Step Guide
Phil Adams• 11 min read- What's new
Announcing InboxReady: The deliverability suite you need to hit the inbox
Mailgun Team• 5 min read- For devs
Designing HTML Email Templates For Transactional Emails
Mailgun Team• 4 min read- Security
Email Security Best Practices: How To Keep Your Email Program Safe
Phil Adams• 13 min read- Security
Mailgun’s Active Defense Against Log4j
Adam Cole• 5 min read- Best Practices
Email Blasts: The Dos And Many Don’ts Of Mass Email Sending
Mailgun Team• 8 min read- Quick tips
Email's Best of 2021
Kate Nowrouzi• 5 min read- For devs
5 Ideas For Better Developer-Designer Collaboration
Nicki Snyder• 10 min read- What's new
Mailgun Joins Sinch: The Future of Customer Communications Is Here
Mailgun Team• 4 min read
Always be in the know and grab free email resources!
No spam, ever. Only musings and writings from the Mailgun team.
By sending this form, I agree that Mailgun may contact me and process my data in accordance with its Privacy Policy.
sign up
It's easy to get started. And it's free.
See what you can accomplish with the world's best email delivery platform.