This is an urgent security advisory regarding an openSSL security vulnerability CVE-2014-0160, which was revealed today to be a catastrophic, remotely exploitable security vulnerability affecting all applications utilizing openSSL.
The vulnerability was announced via the domain http://www.heartbleed.com
Which versions are affected is unclear:
- The Heartbleed website says everything above 1.0.0+
- We also read an unconfirmed report that it was 1.0.1 through 1.0.1f (inclusive)
- The openSSL advisory dated today states “Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1”
(To check the openSSL version from your unix shell type: $ openssl version)
The following analysis has been posted regarding the bug:
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
An online tool that can diagnose if your web server is at risk is online here:
Recommendations:
If you are running a vulnerable version:
- Upgrade your openSSL libs
- restart any applications that use openSSL
But wait, there’s still more…
You then have to make a decision on whether or not to treat your existing keys as already compromised (because if they were, there is no way you would know it) And if you feel the risk it too great: you must re-issue your SSL certs after generating new private keys and using them to generate new CSRs.
Unfortunately, this is the same thing as buying or renewing your SSL cert(s).
At this point we do not know if the certificate issuers will do something about this unprecedented situation, such as allow free re-issues or offer some kind of price break. But
If you are running an ecommerce website or the security of your customer data is paramount, you may want to do the same thing we did here at easyDNS tonight, which was to go ahead and purchase new SSL certs (after upgrading our openSSL libs and regenerating our keys & CSRs).
Update: Free Cert Re-Issues
It has been pointed out (immediately after emailing this alert to all our SSL customers) that our supplier, GeoTrust, allows free certificate re-issues as long as the info used to generate your CSR hasn’t changed.
Go here: http://www.geotrust.com/support/ssl-certificate-reissuance/
In any case, check with your systems team, assess your vulnerability and keep your children indoors. This is pandemonium.
Can you please blog on whether (and when) your customers need to change passwords for easydns.com, easypress.ca and easymail.ca (and possibly other services)
Hi Eric, we’re going to post further on this, but our basic stance is this: it is never a bad time to change your passwords.
You should also look at implementing other security measures on any key vendors that support it, namely
* 2-factor authentication
* Access Control Lists (ACLs)
* Event Notifications (logins, changes, etc)
Many other websites have put up an announcement as to whether they are affected or not — it would not be too much to put down a message as to
1) if you are using openssl or another ssl package
2) if you are using openssl which version (1.0.0 is not affected).
Easydns is not listed in this log of sites;
https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt
so we cannot find out ourselves.
Hi Soren, I guess I assumed it was clear that when I said we upgraded our libs and re-issued our own certs that meant we were not vulnerable.
We were using openSSL but have patched and re-issued all affected servers and SSL certs.
We will probably do a follow up post around this with some recommendations for users (password resets, 2-factor auth, etc)