Hello,Is Todoist concerned by the Internet wide security issue Heartbleed? If yes did you fix it?Thanks!Best regards,Andreas
I'd also appreciate an update on this.Thanks!
Just checked at Qualys SSL Labs and it looks like Todoist is fine:https://www.ssllabs.com/ssltest/analyze.html?d=todoist.com
Any official statement? Was Todoist not affected all the time or did you fix it?Do we have to change our passwords?
I see some message on Twitter claiming that the Todoist service and it's users where not effected, because Amazon load balancing services are being used and they have been fixed. This claim is not solid, because any service that was using a vulnerable version of OpenSSL could have been compromised over the last two years. The Amazon service has now been fixed, so changing password could be a good advice.Sure a real statement from Todoist would still be welcome.
I'd appreciate an official statement from Todoist. In fact, I'm really disappointed that this question hasn't been answered by the Todoist team yet.
Hello,Thanks to AWS infrastructure, the issue has been eliminated very fast already on their end. We don't have any reasons to believe that someone has gotten unauthorized access to someone else's data. However, as this issue affected many big services and providers, you're welcome to change passwords on your accounts incl. your Todoist account, as a general precaution.@Silvia, we're sorry to hear that you're disappointed, we wanted to avoid making statements before we thoroughly investigate the situation and be able to give you true and clear information rather than quick assumptions.Best regards,David
Hello David!I understand the wish to avoid confusion by not issuing a hasty statement, but having to wait for a security statement is frustrating. But, the statement is here, so that's good. From what I gather, AWS was vulnerable and fixed, and no one knows for sure if or when someone was affected, which is of course not really comforting to know, but theres nothing we can do about that.There has been talk about new SSL certificates after fixing the exploit - I assume that was done for todoist.com, too?Best wishes Silvia
SIlvia,We're on this right now, we'll renew our certificate very soon just as another precaution on our end.Best regards,David
Hello David!That's good to know. Will you notify us after you get the new certificate so we can change the password as a precaution? Better safe than sorry :-)Thanks again for the fast answer!Best wishes Silvia
Silvia,We'll have a new one tomorrow, probably in the morning, European time :-)Best regards,David
Hello David!Now that was really fast! That's really wonderful news - and we can all feel a bit safer now!Best wishes Silvia
Have you already replaced the certificate so that we can change our passwords?
Hello,We have now issued a new certificate, please log out, clear the cache and/or SSL slate in your browsers and request a password reset link (or change the password from the settings).Best regards,David
Thank you very much David!
If I am using my Google sign-in for TD, do I need to change my password? I've already changed my Google pw and signed out and signed into TD.
Cannot access Todoist from my laptop (Win XP SP2/Chrome) since 4/11/14, gives SSL Error message screen "Technical details: The certificate that Chrome received during this connection attempt is not formatted correctly, so Chrome cannot use it to protect your information. Error type: Malformed certificate." Assume related to new certificate based on thread above. Can access Todoist from my desktop computer (Win XP SP3/Chrome), however. Cleared Chrome cache, no effect. May be many others w/same problem unable to access Todoist Support to notify you. Please advise.
Hello,@G - if you're only using Google sign-in, never logged in manually and have created your Todoist account this way, then your Todoist account does not have any password attached to it at all, it logs you in based on Google's authorization.@Steven - considering that the affected laptop runs Windows' Service Pack 2 and not 3, we're unsure what certificate issues this version can cause. We've used all correct standards to implement it on our end and it should behave on any modern or updated system. Please note that Windows XP in general is no longer updates and supported by Microsoft leaving computers that still run it vulnerable to exploits.Best regards,David