MaxCDN Update on CVE-2014-0160 aka Heartbleed
April 10, 2014 | Max Shubin
Update (Wednesday April 16th 2014) For those who are using EdgeSSL and had MaxCDN purchase your certificate, your private keys have been updated without any interruption of service. For those who uploaded their own certificates we urge you to regenerate your private keys and upload the new certificates ASAP. You can follow this support article on how to do it here: http://support.maxcdn.com/howto/setup-private-ssl/
In response to the OpenSSL bug known as “Heartbleed” ( CVE-2014-0160) we have audited our entire network and patched all vulnerable OpenSSL implementations.
Our OpenSSL implementation is compiled into our Edge Servers running Nginx, this meant a new Nginx package had to be recompiled on each and every one of our servers.
On Monday, April 7th 2014 our audit commenced immediately and a plan was devised to update all affected servers and regenerate any primary keys that could have been exposed by the vulnerability.
Early Tuesday, April 8th 2014 the MaxCDN NOC patched Nginx and started a rolling restart in the regions that had the least amount of traffic. By early afternoon we had completed the restarts and patching other essential systems without any downtime.
We also recommend that you enable Two Step Authentication on your account just to be safe.
If you have any further questions or concerns please feel free to reach out to our support team: firstname.lastname@example.org
P.S. For those who run Nginx on their own servers here are the steps needed to patch your servers: http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/. You can then use this site to check if your server(s) are secure or not: http://filippo.io/Heartbleed/