An update on the Heartbleed OpenSSL vulnerability

Posted By: Avazio on Apr 09, 2014 in Blog, Help

It recently came to light that there was a serious programming error within OpenSSL, endangering encryption keys and data of SSL connections on the Internet. This allows anyone to read out the memory of vulnerable servers. Specifically, this means an attacker can read keys, passwords and other private information. There is more information about the bug at http://heartbleed.com. Additionally you can check whether you are vulnerable using GlobalSign’s SSL checker https://sslcheck.globalsign.com/en_GB.

Many services other than HTTPS use SSL; e-mail, VPN and other services. It is extremely important that these services are also secured as soon as possible. This blog post covers our response and the action we would recommend VPS and dedicated server customers take.
Our response

All our infrastructure and shared web hosting servers were patched on Tuesday morning as soon as the vulnerability was announced. We have also reissued our own SSL certificates to secure our customers’ data.

We are currently setting up a bulk reissue process, once in place we will automatically reissue and install all shared web hosting certificates; shared hosting customers do not need to do anything.

Windows servers – Review any applications that have been installed as they may be bundled with OpenSSL libraries. (Our standard build has no vulnerable applications installed).

Customers with our issued SSL certificates will be contacted either by ourselves or our Certificate Authority in due course and at this point you will be able to request a certificate revoke and reissue from us.

Customers with independently sourced SSL certificates should consider requesting a revoke and reissue from their certificate vendor and may be directly contacted by their Certificate Authority in due course.

Edit 11/04/13

Problems with sending emails after SSL update:

Due to the Heartbleed bug we have had to update all of our own SSLs including on our shared mail servers. We are seeing Mac users reporting they are getting errors such as “Invalid Certificate Error” or “Invalid SSL” when trying to send mail. If you are seeing this error please do the following and you should then be able to send mail as expected:

Go to Applications
In the utilities folder click on the icon for keychain access
In this application find the mail server that you are using and right click and click “delete”

This should then allow you to connect to the mail server correctly.

Did you like this? Share it:

Welcome

Here at Avazio we aim to give the best and cheapest web hosting for students. Once students ourself, we know that money is precious; that's why we provide an affordable and unrestricted service.

Paypal Verified