It recently came to light that there was a serious programming error within OpenSSL, endangering encryption keys and data of SSL connections on the Internet. This allows anyone to read out the memory of vulnerable servers. Specifically, this means an attacker can read keys, passwords and other private information. There is more information about the bug at http://heartbleed.com. Additionally you can check whether you are vulnerable using GlobalSign’s SSL checker https://sslcheck.globalsign.com/en_GB.
Many services other than HTTPS use SSL; e-mail, VPN and other services. It is extremely important that these services are also secured as soon as possible. This blog post covers our response and the action we would recommend VPS and dedicated server customers take.
All our infrastructure and shared web hosting servers were patched on Tuesday morning as soon as the vulnerability was announced. We have also reissued our own SSL certificates to secure our customers’ data.
We are currently setting up a bulk reissue process, once in place we will automatically reissue and install all shared web hosting certificates; shared hosting customers do not need to do anything.
Windows servers – Review any applications that have been installed as they may be bundled with OpenSSL libraries. (Our standard build has no vulnerable applications installed).
Customers with our issued SSL certificates will be contacted either by ourselves or our Certificate Authority in due course and at this point you will be able to request a certificate revoke and reissue from us.
Customers with independently sourced SSL certificates should consider requesting a revoke and reissue from their certificate vendor and may be directly contacted by their Certificate Authority in due course.
Problems with sending emails after SSL update:
Due to the Heartbleed bug we have had to update all of our own SSLs including on our shared mail servers. We are seeing Mac users reporting they are getting errors such as “Invalid Certificate Error” or “Invalid SSL” when trying to send mail. If you are seeing this error please do the following and you should then be able to send mail as expected:
Go to Applications
In the utilities folder click on the icon for keychain access
In this application find the mail server that you are using and right click and click “delete”
This should then allow you to connect to the mail server correctly.