A major OpenSSL vulnerability was revealed yesterday. Learn more about the Heartbleed Bug.
The Restlet Operations team immediately started analyzing its implications: our AWS Elastic Load Balancers (ELB) used for APISpark were our main infrastructure component at risk.
Amazon has now fully fixed its ELBs and communicated the procedure for their customers to renew the SSL certificates. We have now completed the renewal of our SSL certificates for both APISpark.com and APISpark.net.
Regarding the Restlet Framework itself, as it relies on the Java Virtual Machine which includes its own SSL security implementation not related to OpenSSL, it isn’t directly affected.
However, be aware that some Java EE application servers such as Tomcat or JBoss allow you to use a native SSL implementation based on OpenSSL, so please make sure to double check how your Restlet applications are deployed and run in production.
Sometimes, SSL encryption is terminated before your Restlet application (such as for APISpark), so you might still be vulnerable in a higher layer.
If you have any question or concern, don’t hesitate to contact us via email.