Jump to content

Openssl - Heartbleed Vulnerability

Rosanne

By Rosanne
in Open Discussion

 Share

Recommended Posts

Rosanne Contributor

Rosanne

Posted
Posted

http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/

 

This is huge. Big names like Amazon, Yahoo, GitHub, and possibly Google (since they reported the vulnerability) use it. It's at the heart of Apache and nginx. I'm already changing passwords on the sites I know are patched (rumor has it that Yahoo is NOT one of them :-P ). Do y'all use OpenSSL, and if so, is it patched yet?

 

 

TCH-Bala Grand Master

TCH-Bala

Posted
Posted

Our servers are all secure, we do have checks in place to counter such vulnerabilities, the specifics we cannot discuss in an open forum, I am sure you will understand. But what I can tell you is, we take security very seriously and all our servers are updated and patched for any issues reported as soon as they are in the public domain.

carbonize Experienced

carbonize

Posted
Posted

Yes but given this exploit has been around fora couple of years and leaves no traces you have no real way of knowing if somebody has used and and got a copy of the key.

Agrestis Apprentice

Agrestis

Posted
Posted

My local security expert sent me this in a message this morning:

 

Not only do affected servers need to be updated, they must have any secure
certificates re-generated under safe conditions, and all user accounts
reset. Reports over the past few days show that many organisations only
seem to be only doing the update - leaving their customers at risk.

 

Can you just confirm that TCH have done all parts of this and it is now safe to change our passwords.

  • Like 1
TCH-Dick Grand Master

TCH-Dick

Posted
Posted

While not 100% necessary, all of our shared certs are in the process of being updated, this will take time.

 

If you own and have a SSL certificate and you decide you want to have it replaced, then please open a ticket and we can discuss your options. Note that this will require we revoke and reissue your certificate, which will mean until completed you will get certificate warnings on your site.

 

If you do not not have an SSL certificate on your site and do not use our shared SSL, then no one of the affects you. Also note that this only affects our Centos 6 servers, which at the moment is a small part of our server farm.

Rosanne Contributor

Rosanne

Posted
  • Author
Posted

Thanks for the update! I had just run a check of both the totalchoicehosting and tchmachines certs, and yes, I would like to implement your new shared certs, once they're available.

 

Thanks!

TCH-Dick Grand Master

TCH-Dick

Posted
Posted

The certificates for our main site are already done. Note that the date is no indicator, issuing a new private key is not going to change the validity dates.

Rosanne Contributor

Rosanne

Posted
  • Author
Posted (edited)

Thanks. This whole mess is going to make me have to review what my instructors TRIED to teach me about encryption and how keys work. I checked a couple of the big ones, saw that they were dated this week, and figured that was a good indicator.

Edited by Rosanne
TCH-Dick Grand Master

TCH-Dick

Posted
Posted

Just some additional information for any that does choose to have their cert reissued(that purchased from us).

 

After contacting us the following steps will occur:

  • We will generate a new Certificate Signing Request (CSR) and Private Key, which will be used to reissue and install the new certificate.
  • We will have to verify domain ownership again, how long this takes will depend on the certificate type. Most will be within in an hour.
  • Once verified, the certificate is reissued and we will reinstall the new certificate.
  • The old certificate will then be automatically revoked within 12 to 24 hours after being reissued. Correction: This only applies to a small percentage of certificates through us. If you have a Comodo certificate from us, your serial number will need to be recorded and we will have to manually revoke it.

 

 

 

Update from our admin team, this only affected 28% of our shared servers. If you want to know if your servers was affected or not, you can run the simple php script I have attached here.

 

tchhb.php

  • Like 1
Head Guru Grand Master

Head Guru

Posted
Posted

Considering only 28% of our server fleet was effected, I am very confident that our clients are happy to be hosted here at TCH.

 

If you need anythign else please contact the help desk.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...