Browse by Topic: Security & Reliability
StartMail Addresses Heartbleed SSL Threat
Last modified on 26 March 2015 10:26 PM

"Heartbleed" is a security vulnerability in OpenSSL (Secure Socket Layer) encryption that was made public on April 8th, 2014. Heartbleed gives read access to the memory of the encryption functions of vulnerable servers, allowing attackers to steal the private keys used to encrypt data transmissions. This could permit eavesdropping on communications and even access to sensitive data such as passwords. StartMail's vulnerability to the Heartbleed attack was limited because of proactive security measures built into its design and our commitment to maintaining state-of-the-art security standards.

A key StartMail design feature involves deliberate isolation between system components to limit the impact of unknown security threats like this one. Access to one component does not automatically provide access to other components.

We also helped mitigate any Heartbleed risk to our users by implementing a more secure, upgraded form of SSL known as Perfect Forward Secrecy (PFS) from the start. PFS is generally supported by most recent browser versions. Since PFS uses a different "per session" encryption key for each data transfer, even if a site's private SSL key is compromised, past communications are protected from retroactive decryption.

Security is a moving target, and we work hard to stay ahead of the curve. Within hours of the initial Heartbleed security advisory, StartMail's encryption module updates were completed and encryption certificates were changed.

Because of our quick response and the many additional safety and security measures we had in place, our security team sees little risk for any abuse from Heartbleed. That said, we cannot exclude the theoretical possibility of compromised account passwords, mobile/IMAP device passwords and PGP-passphrases because Heartbleed leaves no traces after an attack.

Since we cannot exclude the possibility that StartMail accounts were compromised, we recommend that users change their account passwords. Instructions on how to reset the three main passwords, and the consequences of doing so, can be found here for your login password, PGP passphrase, and Mobile/IMAP device password. 

StartMail maintains the highest levels of encryption security in the industry. See Qualys' SSL Labs evaluation of StartMail's encryption features here, and A+ rating: https://www.ssllabs.com/ssltest/analyze.html?d=startmail.com

For more information on the Heartbleed bug, please read the following informative CNET article by Reporter Stephen Shankland:

"Heartbleed" bug undoes Web encryption, reveals Yahoo passwords: http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

(48 vote(s))
This article was helpful
This article was not helpful

Still haven't found the answer to your question? Click here to contact support.