Along with many other sites on the internet, Quantopian is taking steps to protect ourselves from the "Heartbleed Bug", which was disclosed yesterday. Although we have no reason to believe that our site or any of our members' accounts or data have been compromised, we are taking a number of precautions to safeguard the security of our members' accounts. We will be documenting here the steps we are taking.
[DONE] We are generating a new SSL certificate to protect our site, using a newly generated encryption key; deploying the new key and certificate to our servers; and asking our SSL certificate authority to revoke our old certificate.
[DONE] We are adding a prominent banner within our application notifying all members to change their passwords. The banner will go away automatically when the user's password is changed.
[DONE] We are requiring all members who have brokerage accounts configured within Quantopian to change their passwords.
[DONE] We are modifying our application so that members are not able to configure a brokerage account within Quantopian until they have changed their password.
[DONE] We are rotating the passwords and encryption keys used by the components of our application when they are communicating with each other. This requires application down-time the evening of April 8, 2014, starting at 5:00pm US/Eastern.
[DONE] We are generating new encryption keys used to protect data in our databases and re-encrypting all data using the new keys.