So a funny thing happened on the way to this blog post. Last week, Instapaper enabled SSL by default. Great news, no? We pushed the change to production, drafted our blog post to announce the news, and then decided to wait a few days until we were sure everything was working as it should. And then, as if on cue, blam! The Heartbleed vulnerability was disclosed on Monday night. It required a bit of scrambling on our part, but nothing too painful.
Here’s what Instapaper users need to know about our Heartbleed fix, followed by an explanation of why and how we turned on SSL by default.
As soon as Heartbleed came to light, we began taking all the necessary measures to close off any possible vulnerabilities.
On Monday evening, as soon as patches were available, we began patching all of our core systems. By Tuesday morning, our systems and our load balancer (which is operated by Amazon) had all been patched. Today, we have issued a new security certificate and invalidated all of the existing sessions to help ensure that our system stays secure. If you’re into reading certs, you’ll note that our new certificate has a Valid From date that indicates the day we originally purchased it, but the cert itself was replaced this morning.
We have no evidence that any user data was exposed by this vulnerability; however, for the sake of total safety, we are recommending that all users change their passwords.
SSL by Default
At Instapaper, we’re strongly committed to our users’ privacy and data security. In an effort to make Instapaper more secure, we’ve enabled SSL encryption by default for all requests on the service. Encrypting web requests by default makes it harder for others to identify users, and helps protect users who might not be aware that they are being observed. For our users, these changes should be unnoticeable — they will not affect your Instapaper experience and will automatically provide better privacy and data security.
To ensure backward compatibility for third-party applications, we will still allow public API requests over unencrypted HTTP. However, non-SSL API requests for third-party applications are discouraged as of today, and will not be supported as of June 1st, 2014. If you are a developer implementing an integration with Instapaper, we ask that you please take the necessary steps to enable SSL on all API requests prior to June 1st.
While all your requests to Instapaper will be encrypted, it’s important to note that some images and videos that appear inside of articles will still be retrieved via non-secure channels from the original provider. As a result, a hypothetical eavesdropper could potentially infer what content you’re viewing. If that’s a concern for you, some web browsers have settings that will disable the loading of non-SSL elements like images and videos.
For more information about SSL encryption, you can visit the following links: