The Heartbleed vulnerability found in OpenSSL last week has everyone worried, and rightfully so. So of course we did an investigation and wanted to let you know the status of how Heartbleed has affected us and, by extension, you as our customers.
In short, it hasn’t, and everything should be safe.
Our servers run a combination of Windows Server, Linux, and even Mac OS X Server. Thankfully, we found none of our server software to be running OpenSSL versions that were affected by Heartbleed. On top, our customer-facing http://secure.remobjects.com website is running on Microsoft IIS (using ASP.NET and Oxygene) and thus not using OpenSSL to begin with. This is the site that all logins (including for direct website login, but also for Single-SignOn to services such as Talk, or for license downloads from within products) go through, as well as all payment information when you place orders. (On an unrelated note, we want to point out that we never store your payment information. It is passed through to the merchant as you place an order, but your credit card details are not retained by us.) We have received no information from our back-end merchant services provider to indicate they have been affected by Heartbleed.
Our Products are not directly affected by Heartbleed either. Only RemObjects SDK for Cocoa used OpenSSL under the hood until about two years ago, but the library was used only for purposes of the “AES Encryption Envelopes” feature, which does not cover the surface area of the Heartbleed exploit. In addition, RemObjects SDK for Cocoa was migrated away from OpenSSL to Apple’s CommonCrypto library about two years ago, so any applications built with recent versions of RO/Cocoa does not leverage OpenSSL at all.
Standalone RemObjects SDK or Data Abstract Servers implemented in .NET and running over HTTPS using Microsoft’s or Mono’s HTTPS base implementation (pretty much the standard/default if you are running a .NET based RO/DA server and did not go out of your way to hook up a custom SSL layer) are not affected by Heartbleed. Neither are applications hosted in Microsoft’s IIS web server and using Microsoft’s SSL/TLS stack.
That said, if you are deploying RemObjects SDK or Data Abstract servers via HTTPS, we still recommend that you review the parts of your tool stack that fall outside of RemObjects SDK and Data Abstract itself. For Example, Delphi’s Indy libraries optionally use OpenSSL to implement SSL/TLS functionality, so depending on what version of Indy you are using, and what version of OpenSSL you are using with it, your application might be affected by Heartbleed. The same may be the case if you are hosting RO/DA service applications on a web server such as Apache that might be using OpenSSL under the hood.
We will continue to be on the lookout, and keep you informed if any new information arises.