Jump to content

Openssl - Heartbleed Vulnerability


Rosanne

Recommended Posts

http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/

 

This is huge. Big names like Amazon, Yahoo, GitHub, and possibly Google (since they reported the vulnerability) use it. It's at the heart of Apache and nginx. I'm already changing passwords on the sites I know are patched (rumor has it that Yahoo is NOT one of them :-P ). Do y'all use OpenSSL, and if so, is it patched yet?

 

 

Link to comment
Share on other sites

Our servers are all secure, we do have checks in place to counter such vulnerabilities, the specifics we cannot discuss in an open forum, I am sure you will understand. But what I can tell you is, we take security very seriously and all our servers are updated and patched for any issues reported as soon as they are in the public domain.

Link to comment
Share on other sites

My local security expert sent me this in a message this morning:

 

Not only do affected servers need to be updated, they must have any secure
certificates re-generated under safe conditions, and all user accounts
reset. Reports over the past few days show that many organisations only
seem to be only doing the update - leaving their customers at risk.

 

Can you just confirm that TCH have done all parts of this and it is now safe to change our passwords.

  • Like 1
Link to comment
Share on other sites

While not 100% necessary, all of our shared certs are in the process of being updated, this will take time.

 

If you own and have a SSL certificate and you decide you want to have it replaced, then please open a ticket and we can discuss your options. Note that this will require we revoke and reissue your certificate, which will mean until completed you will get certificate warnings on your site.

 

If you do not not have an SSL certificate on your site and do not use our shared SSL, then no one of the affects you. Also note that this only affects our Centos 6 servers, which at the moment is a small part of our server farm.

Link to comment
Share on other sites

Thanks. This whole mess is going to make me have to review what my instructors TRIED to teach me about encryption and how keys work. I checked a couple of the big ones, saw that they were dated this week, and figured that was a good indicator.

Edited by Rosanne
Link to comment
Share on other sites

Just some additional information for any that does choose to have their cert reissued(that purchased from us).

 

After contacting us the following steps will occur:

  • We will generate a new Certificate Signing Request (CSR) and Private Key, which will be used to reissue and install the new certificate.
  • We will have to verify domain ownership again, how long this takes will depend on the certificate type. Most will be within in an hour.
  • Once verified, the certificate is reissued and we will reinstall the new certificate.
  • The old certificate will then be automatically revoked within 12 to 24 hours after being reissued. Correction: This only applies to a small percentage of certificates through us. If you have a Comodo certificate from us, your serial number will need to be recorded and we will have to manually revoke it.

 

 

 

Update from our admin team, this only affected 28% of our shared servers. If you want to know if your servers was affected or not, you can run the simple php script I have attached here.

 

tchhb.php

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...