On April 7, 2014 information was released about a new vulnerability (CVE-2014-0160) in OpenSSL, the cryptography library that powers the vast majority of private communication across the Internet. This library is key for maintaining privacy between servers and clients, and confirming that Internet servers are who they say they are.

This vulnerability, known as Heartbleed, would allow an attacker to steal the keys that protect communication, user passwords, even the system memory of a vulnerable server. This represents a major risk to large portions of private traffic on the Internet, including GitHub.

As of right now, we have no indication that the attack has been used against GitHub. That said, the nature of the attack makes it hard to detect so we're proceeding with a high level of caution.

What is GitHub doing about this?

We've completed a number of measures already and continue to work the issue.

We've patched all our systems using the newer, protected versions of OpenSSL. We started upgrading yesterday after the vulnerability became public and completed the roll out today. We are also working with our providers to make sure they're upgrading their systems to minimize GitHub's exposure. We've recreated and redeployed new SSL keys and reset internal credentials. We have also revoked our older certs just to be safe. We're in the process of forcibly resetting all existing browser sessions. This means you will be logged out and have to log back into GitHub. This is a proactive measure to defend against potential session hijacking attacks that may have taken place while the vulnerability was open. We will update this post when all sessions have been reset. Lastly, we have already worked to use any available methods to proactively protect against attacks like this. At the end of last year we deployed Perfect Forward Secrecy, which makes it impossible to use stolen encryption keys to read old encrypted communication. We are working to find more opportunities like this.

What can you do about this?

While at this time GitHub has no indication that the attack has been used beyond testing the vulnerability, users who want to be extra cautious should take the following steps:

Reset your GitHub password Enable Two-Factor Authentication Revoke and recreate OAuth tokens Stay tuned

GitHub works hard to keep your code safe. We are continuing to respond to this vulnerability and will post updates as things progress. Keep an eye on Twitter and here for more information.