Eventbrite + Heartbleed: What You Need to Know

Paul Pieralde is the Principal Product Security Manager at Eventbrite.

At Eventbrite, we take security seriously, and have a specialized team of data security and fraud experts to monitor and protect our users’ data. Given the importance we place on data protection, we use OpenSSL, the de facto industry standard library used by every major Internet company, for encryption.

On Monday, April 7th, we became aware of a bug in OpenSSL, aka ‘Heartbleed‘. We quickly identified and analyzed the issue, deployed a fix, reissued our SSL certificate, and closed the vulnerability. As with all security threats, we are closely monitoring the situation.

At this time, we do not believe any user data has been compromised.

Edit, April 10, 2014:

There has been some confusion about the Validity Dates of Eventbrite’s SSL Certificate, so we would like take a moment to clear up the confusion with a bit of technical detail.

After patching our OpenSSL libraries and restarting services to use those patched libraries, we generated a new private key and signed a new Certificate Signing Request, then sent this CSR off to DigiCert. They sent back a properly signed SSL certificate for *.eventbrite.com and related international domains, which is tied to our new key and new CSR.

Digicert made the Valid From – To dates match the previous certificate, as this is part of their standard operating procedure.

The old Eventbrite certificate (serial number 06:bf:73:60:c9:a6:61: 4c:69:4e:47:60:9e:d8:9c:eb) was revoked and the new certificate (serial number 04:eb:99:3f:eb:be:ec:41:d5:b4:42:24: 09:ce:85:b3)  is now live on the Eventbrite.com site.

To verify the revocation of our old certificate, you would need our old certificate, along with the “DigiCert High Assurance CA-3” issuing certificate.  Then you can use OpenSSL to query http://ocsp.digicert.com and see that the old certificate has in fact been revoked:

$ openssl ocsp -issuer digicertCA3.crt -cert oldEventbrite.crt -url 
http://ocsp.digicert.com -resp_text -respout resp.der
OCSP Response Data:
   OCSP Response Status: successful (0x0)
   Response Type: Basic OCSP Response
   Version: 1 (0x0)
   Responder Id: 50EA7389DB29FB108F9EE50120D4DE79994883F7
   Produced At: Apr  9 21:06:00 2014 GMT
   Responses:
   Certificate ID:
     Hash Algorithm: sha1
     Issuer Name Hash: ED48ADDDCB7B00E20E842AA9B409F1AC3034CF96
     Issuer Key Hash: 50EA7389DB29FB108F9EE50120D4DE79994883F7
     Serial Number: 06BF7360C9A6614C694E47609ED89CEB
   Cert Status: revoked
   Revocation Time: Apr  8 19:47:41 2014 GMT
   This Update: Apr  9 21:06:00 2014 GMT
   Next Update: Apr 16 21:21:00 2014 GMT

If you have any additional questions regarding Heartbleed, please do not hesitate to reach out: Eventbrite.com/contact-us