11 April 2014 Last updated on 11 April 2014

Executive summary: Our software is NOT affected by Heartbleed.

 Dear all,

Earlier this week a major security flaw was discovered in OpenSSL, the encryption and secure communications library used by key components of web sites including the popular web servers Apache and NginX. This bug, dubbed Heartbleed, allows a remote attacker to read small chunks of server memory, potentially (but not necessarily) including the secret keys used to encrypt communications between the server and your browser. This can happen in a way that usually leaves no trace.

Please let us make something extremely clear: our software does not use OpenSSL and is, therefore, not susceptible to the Heartbleed bug. This bug only affects OpenSSL which is used by 66% of all web sites on the Internet to power their https:// URLs.

In practical terms, security researchers have stated that they are not sure if the Heartbleed bug has ever been used in the wild. Heartbleed is nine parts mass hysteria and one part security issue. Even if the attack was used in the wild and against a web server the attacker would have to perform a Man-In-The-Middle attack to eavesdrop the (encrypted) communications between the server and the client including the initial handshake to be able to decrypt the data being exchanged. This is a major concern for using the services of high-value targets (e.g. Google) but of practically no concern when using the services of a low-value target like the sites of Joomla! extension developers. Banks, payment processors and other financial institutions seem to have escaped unscathed as they were not using OpenSSL.

Even though our server, like 66% of the entire Internet, was using Apache which was affected by this bug, to the best of our knowledge no information has been leaked from it. Even if it did, the amount of work required to exploit it makes it extremely unlikely that a very low value target like us would be affected. Exploiting the Heartbleed bug is not for the faint at heart: it is several levels above the average site hacker's experience level and requires massive resources. However, since prevention is better than regret we recommend you to change your passwords on all sites you have visited in the last two years, including our own. We still maintain that it's FAR more likely to have your password stolen by malware than by the result of the laborious exploitation of the Heartbleed bug.

In any case please bear in mind that we never store or process financial information directly on our servers. All financial information (credit card data, PayPal login information) is NEVER processed or even transmitted to our servers. This is actually required for us to be in full compliance with the security guidelines which are part of our contractual obligations against the payments processing companies we are using to process your payments. All of your transactions are processed by established payment processing companies (2Checkout Inc and PayMill GmbH) which were not susceptible to the Hearbleed bug.

Finally, in the interest of full disclosure, please note that we have already been in the process of replacing the SSL certificates of our site before the Heartbleed bug was announced (lucky timing!). We have already applied for an SSL EV (Extended Validation a.k.a. "green bar") certificate. It's a matter of time to have our application approved and the SSL certificate of our site replaced. We expect this to happen around May 1st.

Stay vigilant and safe on- and off-line.

Best regards,

Nicholas K. Dionysopoulos
Akeeba Ltd