Security Advice – OpenSSL Heartbleed Bug (Update)

bleedheartOpenSSL Heartbleed Bug Update & SSL Certificates

This is an update to the security advisory we sent yesterday. Your webmaster or IT person should be made aware of this information.

Yesterday we emailed all our web hosting customers aboutthe Heartbleed vulnerability in OpenSSL security software. Google Security and Codenomicon – a Finnish security company – revealed on Monday that the flaw had existed in OpenSSL for more than two years. On Tuesday security patches were released by OpenSSL, cPanel and CloudLinux, and we immediately began installing these on all the web servers we manage. The security vulnerability is thought to have initially affected several million web servers. All our web servers are now protected. Our support team have received a lot of technical requests and therefore we are sending you this update.

What exactly is Heartbleed?

The Heartbleed bug is a security vulnerability where a hacker can send a request to an SSL secured website, and vulnerable versions of the OpenSSL security software running on the web server will send a response back to the hacker that exposes the SSL private keys. Normally the SSL private keys are used to decrypt sensitive data and they should be kept secret. The security patches we have implemented on our web servers will prevent OpenSSL security software from exposing the SSL private keys. There is no way of knowing if they’ve been exposed before the security patching because the Heartbleed bug leaves no trace. Web hosting companies all around the world are working on implementing similar security patching to their own web servers.

Where does JSWeb use OpenSSL?

All our web servers use OpenSSL security software to encrypt data sent to/from SSL secured websites. SSL is recommended for any websites that handle sensitive data, and it’s compulsory for websites that process credit card information to have an SSL certificate. If you use an SSL connection to connect to websites, email or other applications such as cPanel, WHM and webmail, you’ll normally see the “lock” symbol appear on your web browser. If the website is hosted with us, it definitely uses OpenSSL software. There is no evidence that any of our web servers have been exploited, but as a security precaution we have re-issued the SSL certificate(s) used by website/email services on our web servers, and we have also re-issued the SSL certificate used on the JSWeb client area.

What steps do I need to take?

You should be aware of the security vulnerability and take sensible steps to stay safe online. Discuss the issue with your IT person. There is useful information about the vulnerability at http://heartbleed.com/

We recommend reading this article on BBC News http://www.bbc.co.uk/news/technology-26954540 because it contains useful background information and good practice tips for online security. Some major technology companies have recommended the public “change your passwords everywhere”. At JSWeb, we are not forcing customers to reset their passwords, but we would remind customers that it’s considered good practice to change your passwords on a regular basis or when there is any possibility of a security threat like this.

The Mashable website http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ has a list of some of the biggest websites including Facebook, Tumblr, Yahoo and Google where you may want to change your passwords as a precaution.

My website has an SSL certificate, what do I do?

The advice we have received from our SSL providers (GeoTrust, Comodo and GlobalSign) is that all SSL certificates should be re-issued and re-installed. This is because there was the (very small) chance someone could have exploited OpenSSL on your website and retrieved the SSL private keys. This involves creating a new CSR (certificate signing request), JSWeb submitting a re-issue request to the appropriate SSL provider, and then the certificate being validated, re-issued and re-installed on the webserver. If you have purchased an SSL certificate from JSWeb and you’d like to have it re-issued and re-installed, please email our support team. There is no cost involved, but please be patient because our support team are receiving more requests than usual.

My website does NOT have an SSL certificate, what do i do?

The Heartbleed bug won’t affect your website because there isn’t an SSL certificate installed on your website. Data to/from your website is not encrypted using SSL in the first place. We do recommend SSL certificates for any website that transmits sensitive data and SSL certificates are essential if your website transmits credit card data. You may want to consider purchasing one. Please email our sales team.