On Monday, April 7th, a vulnerability called Heartbleed was discovered in OpenSSL, a cryptographic library used by websites to handle SSL and HTTPS. The vulnerability is a major concern because OpenSSL is widely used, and it could allow normally encrypted web communications to be intercepted.
First, we want to update you on how this impacts Dashlane:
- Your Dashlane accounts are not impacted by this flaw
- Your Master Passwords are safe as they are never transmitted
- Your personal data when transmitted is always ciphered locally with AES 256, which is not affected by the Heartbleed vulnerability
More specifically, though we use OpenSSL when syncing your personal data with our servers:
- Your Master Password is never transmitted over any network, neither is any derivative of your Master Password
- Your personal data is ciphered locally, with your Master Password, before being sent to our servers, using a cryptographic algorithm not affected by Heartbleed (AES 256)
The HeartBleed Bug – What is it?
According to Heartbleed.com (a site built by the bug’s discoverers):
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
How does this affect my Dashlane account?
As we mentioned above, your Dashlane account and Master Passwords are safe. Our servers have been updated with the patch, we have revoked previous certificates and rolled out new ones. There will be no interruption in our services, and the information that you store in Dashlane is not affected by the Heartbleed bug.
Though your Dashlane account remains safe, many of the websites that you use do not have the level of security and encryption that we use. We recommend you generate new passwords on your most important accounts – banking, email, social networks, or any shopping sites where you store your payment info. However, the sites that you use need to employ the patch for this bug before your account is secure again. Otherwise, you’ll need to change your passwords again once that’s done.
We understand you might be worried as the whole Internet seems to be a bit shaken by this. We see this issue as a test for our security architecture that gave proof to how solid it is.
The most important thing is to make sure you use different passwords everywhere, because if your password is stolen on one site, it will not impact other sites; this was true before Heartbleed and is even more true today.
We’ll be sure to keep you updated about the situation, and we want to thank you for securing your data in Dashlane.