Jump to content
Rosanne

Openssl - Heartbleed Vulnerability

Recommended Posts

http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/

 

This is huge. Big names like Amazon, Yahoo, GitHub, and possibly Google (since they reported the vulnerability) use it. It's at the heart of Apache and nginx. I'm already changing passwords on the sites I know are patched (rumor has it that Yahoo is NOT one of them :-P ). Do y'all use OpenSSL, and if so, is it patched yet?

 

 

Share this post


Link to post
Share on other sites

But have new certificates and keys been issued in case the servers had already been exploited?

Share this post


Link to post
Share on other sites

Our servers are all secure, we do have checks in place to counter such vulnerabilities, the specifics we cannot discuss in an open forum, I am sure you will understand. But what I can tell you is, we take security very seriously and all our servers are updated and patched for any issues reported as soon as they are in the public domain.

Share this post


Link to post
Share on other sites

Yes but given this exploit has been around fora couple of years and leaves no traces you have no real way of knowing if somebody has used and and got a copy of the key.

Share this post


Link to post
Share on other sites

My local security expert sent me this in a message this morning:

 

Not only do affected servers need to be updated, they must have any secure
certificates re-generated under safe conditions, and all user accounts
reset. Reports over the past few days show that many organisations only
seem to be only doing the update - leaving their customers at risk.

 

Can you just confirm that TCH have done all parts of this and it is now safe to change our passwords.

  • Like 1

Share this post


Link to post
Share on other sites

While not 100% necessary, all of our shared certs are in the process of being updated, this will take time.

 

If you own and have a SSL certificate and you decide you want to have it replaced, then please open a ticket and we can discuss your options. Note that this will require we revoke and reissue your certificate, which will mean until completed you will get certificate warnings on your site.

 

If you do not not have an SSL certificate on your site and do not use our shared SSL, then no one of the affects you. Also note that this only affects our Centos 6 servers, which at the moment is a small part of our server farm.

Share this post


Link to post
Share on other sites

Thanks for the update! I had just run a check of both the totalchoicehosting and tchmachines certs, and yes, I would like to implement your new shared certs, once they're available.

 

Thanks!

Share this post


Link to post
Share on other sites

The certificates for our main site are already done. Note that the date is no indicator, issuing a new private key is not going to change the validity dates.

Share this post


Link to post
Share on other sites

Thanks. This whole mess is going to make me have to review what my instructors TRIED to teach me about encryption and how keys work. I checked a couple of the big ones, saw that they were dated this week, and figured that was a good indicator.

Edited by Rosanne

Share this post


Link to post
Share on other sites

Just some additional information for any that does choose to have their cert reissued(that purchased from us).

 

After contacting us the following steps will occur:

  • We will generate a new Certificate Signing Request (CSR) and Private Key, which will be used to reissue and install the new certificate.
  • We will have to verify domain ownership again, how long this takes will depend on the certificate type. Most will be within in an hour.
  • Once verified, the certificate is reissued and we will reinstall the new certificate.
  • The old certificate will then be automatically revoked within 12 to 24 hours after being reissued. Correction: This only applies to a small percentage of certificates through us. If you have a Comodo certificate from us, your serial number will need to be recorded and we will have to manually revoke it.

 

 

 

Update from our admin team, this only affected 28% of our shared servers. If you want to know if your servers was affected or not, you can run the simple php script I have attached here.

 

tchhb.php

  • Like 1

Share this post


Link to post
Share on other sites

Many thanks for the clear explanation. As always TCH is an example to other hosts of how to give great customer service. :)

Share this post


Link to post
Share on other sites

Considering only 28% of our server fleet was effected, I am very confident that our clients are happy to be hosted here at TCH.

 

If you need anythign else please contact the help desk.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×