Heartbleed—How Has it Affected Martus?

By Benetech, posted on

As most people know, on April 7, 2014, a serious vulnerability in encryption technology used by most Web servers to secure communications over the Internet—the OpenSSL cryptographic software library—was announced. The vulnerability, known as the The Heartbleed Bug, results in a situation where software allows more data to be read than should be allowed, which may compromise a user’s encrypted information.

Martus Servers Update

The good news is that the Martus servers (where all data is stored and backed up) are not affected by the recent OpenSSL security vulnerability, because they rely on a Java implementation of SSL known as Java Secure Socket Extension (JSSE) and because they run unaffected versions of OpenSSL. Our Martus website was also not affected.

Martus Desktop (Mac OS, Linux, Windows)

The Martus Desktop client also relies on a JSSE and was not affected by the Heartbleed bug.

Mobile Martus (Android)

Most versions of Android use a version of OpenSSL that is not vulnerable. However, Android 4.1.1 runs a version of OpenSSL that is vulnerable. According to Google, less than 10% of Android-based devices run on version 4.1.1. The number of total devices in circulation is estimated to be 1 billion. That means the Heartbleed bug still affects about 10 million devices. You can read more about this vulnerability of Android 4.1.1.

Recommendation for Mobile Martus users running Android 4.1.1:

We recommend you update Android. Once the update is complete, delete and then recreate your Martus Mobile account, so that a new private key is generated.

If you are unable to update Android 4.1.1—and therefore unable to update OpenSSL—we strongly suggest that you do not use Mobile Martus.

Tor

Martus Desktop has embedded Tor via Orchid, which also runs on JSSE and is unaffected by the Heartbleed bug.

Mobile Martus relies on Orbot for the implementation of Tor. Orbot was vulnerable but has been patched. The risk was that anonymity could have been compromised. It is recommended that all users update Orbot. To learn more about the impact on the Tor network, please visit the Tor Project website.

To learn more about the Heartbleed bug, please visit http://heartbleed.com.

If you have any questions regarding Martus, please contact our support team at help@martus.org.