By now you will almost certainly have read about the recent “Heartbleed” bug that affected many services across the Internet. Like many others, we were notified of the vulnerability early last week and patched our servers within the hour. As a precaution, we also reset all active user sessions at the same time; apologies if you were forced to log back in, but until the issue was better understood, this seemed a wise precaution.
We have found no evidence of malicious behaviour, but we have replaced our SSL certificates, including those not using the affected OpenSSL software. This also ensures that we are correctly validated as “not vulnerable” by the main checking services.
Because the affected software (OpenSSL) provides encryption for so many services on the Internet, the prevailing advice is to reset your passwords across all services you use that may have been vulnerable, especially if you use common passwords. Please note that you should first check that the service you are changing the password for is no longer affected. This can be verified using services like LastPass’s Heartbleed checker: https://lastpass.com/heartbleed/ – if you wish to change your Milestone Planner password, go directly to milestoneplanner.com and change your password with the reset password link, or via “my account” settings.
This also seemed like a good time to tighten up our login options. Mozilla’s “Persona” authentication is relatively unused, so we will be retiring this in the next week. If you were previously using the Persona authentication service, you can set a password for your account, and continue to use Milestone Planner with a normal login. We will also be updating the Google sign in process to use Google’s most recent APIs. If you login using G+ or Google sign in, you may be prompted to re-authorise Milestone Planner as we make this change. If you have any problems signing in, simply reply to this email or use the feedback form and we will investigate. We do not believe that there are any immediate security issues with these services, but we want to ensure we are using well maintained services.
When people ask if cloud services are secure, it is worth bearing in mind that the most common sources of data leakage and data loss remain email and failed hard drives. Emailing locally stored spreadsheets and documents remains higher risk than using a managed cloud-based service for your data, so there is no reason not to login and keep your plans up to date.