Friday, April 11th, 2014

Box Protection Against OpenSSL “Heartbleed” Vulnerability


As most of you have heard by now, a major security flaw was discovered with OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption for a majority of sites and services across the web, on April 7. We have run a full investigation and have no indication that Box has been targeted or attacked in relation to this bug, but for those of you looking for more information I’d like to share some context and the steps we’ve taken to protect our users.

“Heartbleed” is one of the worst vulnerabilities I have seen in the past 10 years. Those of you who have been in security for a while know that we can never prevent everything that comes our way, but we can build processes and culture of rapid response. When we found out about the OpenSSL vulnerability this week, our team didn’t go home until early hours of the morning the following day – we had to be certain that our users were safe.

What actions have we taken?

Within hours of notification about this vulnerability, we released a patch to OpenSSL to protect all logins and content. In addition, we performed internal and external scanning to confirm that all Internet-facing Box services were not vulnerable to this attack. And we immediately initiated the process of revoking and reissuing our SSL certificates for the product to be extra cautious. We now have all new certificates in place.

To date, we have no indication that Box has been targeted or attacked in relation to this bug and we have not detected any malicious activity. As an additional measure, we are in the process of notifying users that logged into their accounts since we upgraded our servers earlier this year and started running a version of OpenSSL that contained the vulnerability, advising them to reset their Box passwords. Again, this is just an added precautionary measure, but Heartbleed deserves this level of caution.

So, where do we go from here?

If I could ask you to do one thing – turn on two-factor authentication today. Beyond that, make sure that you’re using strong password requirements for all your users – internal and external. Also, if you’re using one of our SSO partner integrations like Okta, Ping, or OneLogin, we encourage you to turn on the the SSO-required option within Box in combination with two-factor authentication option in the SSO solution. Account protection is a critical element of a security strategy and we’ve made significant investments so our customers have the controls they need to keep user information safe. My team is committed to keeping your data protected.

Check out our help page for the latest info on our responses to the Heartbleed bug:

  • aaron ashfield provides the best protection against heartbleed: No-Passwords, 2FA, Keyless RSA SecurID and continuous authentication, all happening in the background…

  • Brian Adkins

    You recommend setting up strong password requirements to ensure security. It’s a real shame that you only provide this service to Enterprise clients (and not ALL paying clients). With something as important as the Heartbleed Bug, security remediations from SaaS companies should not depend on “how much you pay us”.

    • imthekuni

      I believe even the standard accounts can access 2-step login protection by navigating to the upper menu bar (Account…Profile & Branding) and selecting “Security” and then check the box for 2-step login verification.

  • Matt6

    Do you thing things like these ( are trustworthy and useful to find out heartbleed vulnerability?

  • haridsv

    If you see turning on two-factor authentication as critical to increasing security, why won’t you encourage more folks to sign-up by adding support for google authenticator?

  • Willame

    Eu criei minha conta aq depois disso acontecer e até agora num tem nada de errado, tomara que continue assim sempre.

  • Laser Lock

    As most internet users change all their passwords in response to heart bleed, and most system administrators patch OpenSSL and install new certificates, perhaps it’s time to ask why anyone is still using passwords for authentication? While strong authentication incorporating biometrics can’t protect a compromised SSL session, it can avoid identity theft, replay attacks and all the pain and suffering we’re all now going to have to deal with. The availability of strong authentication solutions that incorporate face and voice recognition, and work with users existing equipment, begs the question, why websites that truly want to protect their users would continue relying on passwords, PINS or any shared secrets? Much stronger, easier to use and more resilient solutions are readily available – Just ask Mr. Garza or me?

    Paul Donfried – CTO, LaserLock Technologies