+ Add Question

Todoist and Heartbleed

Hello,

Is Todoist concerned by the Internet wide security issue Heartbleed? If yes did you fix it?

Thanks!

Best regards,
Andreas

All responses

Andi Northrop premium
Replied on Apr 10, 2014 - 09:38 UTC

I'd also appreciate an update on this.

Thanks!

Andi Northrop premium
Replied on Apr 10, 2014 - 10:22 UTC

Just checked at Qualys SSL Labs and it looks like Todoist is fine:

https://www.ssllabs.com/ssltest/analyze.html?d=todoist.com

Andreas N. premium
Replied on Apr 10, 2014 - 14:01 UTC

Any official statement?

Was Todoist not affected all the time or did you fix it?

Do we have to change our passwords?

Marco Put-Carstens premium
Replied on Apr 10, 2014 - 14:36 UTC

I see some message on Twitter claiming that the Todoist service and it's users where not effected, because Amazon load balancing services are being used and they have been fixed.

This claim is not solid, because any service that was using a vulnerable version of OpenSSL could have been compromised over the last two years.

The Amazon service has now been fixed, so changing password could be a good advice.

Sure a real statement from Todoist would still be welcome.

S
Silvia premium
Replied on Apr 10, 2014 - 16:56 UTC

I'd appreciate an official statement from Todoist. In fact, I'm really disappointed that this question hasn't been answered by the Todoist team yet.

David Trey staff
Replied on Apr 10, 2014 - 17:51 UTC

Hello,

Thanks to AWS infrastructure, the issue has been eliminated very fast already on their end. We don't have any reasons to believe that someone has gotten unauthorized access to someone else's data. However, as this issue affected many big services and providers, you're welcome to change passwords on your accounts incl. your Todoist account, as a general precaution.

@Silvia, we're sorry to hear that you're disappointed, we wanted to avoid making statements before we thoroughly investigate the situation and be able to give you true and clear information rather than quick assumptions.


Best regards,
David

S
Silvia premium
Replied on Apr 10, 2014 - 18:47 UTC

Hello David!

I understand the wish to avoid confusion by not issuing a hasty statement, but having to wait for a security statement is frustrating. But, the statement is here, so that's good.

From what I gather, AWS was vulnerable and fixed, and no one knows for sure if or when someone was affected, which is of course not really comforting to know, but theres nothing we can do about that.

There has been talk about new SSL certificates after fixing the exploit - I assume that was done for todoist.com, too?

Best wishes
Silvia

David Trey staff
Replied on Apr 10, 2014 - 18:51 UTC

SIlvia,

We're on this right now, we'll renew our certificate very soon just as another precaution on our end.


Best regards,
David

S
Silvia premium
Replied on Apr 10, 2014 - 18:54 UTC

Hello David!

That's good to know. Will you notify us after you get the new certificate so we can change the password as a precaution? Better safe than sorry :-)

Thanks again for the fast answer!

Best wishes
Silvia

David Trey staff
Replied on Apr 10, 2014 - 20:24 UTC

Silvia,

We'll have a new one tomorrow, probably in the morning, European time :-)


Best regards,
David

S
Silvia premium
Replied on Apr 10, 2014 - 20:32 UTC

Hello David!

Now that was really fast! That's really wonderful news - and we can all feel a bit safer now!

Best wishes
Silvia

jubael premium
Replied on Apr 10, 2014 - 21:04 UTC

Thanks Team.

Andreas N. premium
Replied on Apr 11, 2014 - 12:52 UTC

Have you already replaced the certificate so that we can change our passwords?

David Trey staff
Replied on Apr 11, 2014 - 15:46 UTC

Hello,

We have now issued a new certificate, please log out, clear the cache and/or SSL slate in your browsers and request a password reset link (or change the password from the settings).


Best regards,
David

Andreas N. premium
Replied on Apr 12, 2014 - 10:17 UTC

Thank you very much David!

GT
G Tom premium
Replied on Apr 13, 2014 - 02:10 UTC

If I am using my Google sign-in for TD, do I need to change my password? I've already changed my Google pw and signed out and signed into TD.

SB
Steven Buchele
Replied on Apr 13, 2014 - 15:06 UTC

Cannot access Todoist from my laptop (Win XP SP2/Chrome) since 4/11/14, gives SSL Error message screen "Technical details: The certificate that Chrome received during this connection attempt is not formatted correctly, so Chrome cannot use it to protect your information. Error type: Malformed certificate." Assume related to new certificate based on thread above. Can access Todoist from my desktop computer (Win XP SP3/Chrome), however. Cleared Chrome cache, no effect. May be many others w/same problem unable to access Todoist Support to notify you. Please advise.

David Trey staff
Replied on Apr 14, 2014 - 12:22 UTC

Hello,

@G - if you're only using Google sign-in, never logged in manually and have created your Todoist account this way, then your Todoist account does not have any password attached to it at all, it logs you in based on Google's authorization.

@Steven - considering that the affected laptop runs Windows' Service Pack 2 and not 3, we're unsure what certificate issues this version can cause. We've used all correct standards to implement it on our end and it should behave on any modern or updated system. Please note that Windows XP in general is no longer updates and supported by Microsoft leaving computers that still run it vulnerable to exploits.


Best regards,
David