Various media alerted the world about a massive bug in the security of OpenSSL, an encryption software for servers that is now installed in at least two thirds of all existing sites in the world. The bug was named “HeartBleed”, or Bleeding Heart, alluding to both a (security) hole and a heart, since OpenSSL is the heart of security. The good news is that if your site is hosted with us, all of our servers were updated in a timely manner.
But what is Heartbleed and what implications does it have? To answer this, let's start at the beginning.
What is SSL?
Lets start by the beginning; SSL (Secure Socket Layer) is an encryption technology that allows information to be transmitted over the internet. When, for example, you visit Gmail and see a padlock next to the web address, that tells you that communications with the site are being encrypted. This allows malicious eavesdroppers, listening to Internet connections, to not see the data traveling in one direction or another.
Using SSL, all information is transformed into an encrypted message that only you and the page you are visiting can decipher. If any intermediary “eavesdropped” on the conversation, they would only find seemingly random characters, but no content from your emails, Facebook posts, credit cards, or any other sensitive information.
SSL was originally introduced by Netscape in 1994, and was readily available in all browsers since the 1990s. In recent years there has been a trend where encryption was enabled by default, as is the case with Gmail, Yahoo or Facebook.
How Heartbleed works
The engine behind the vast majority of SSL connections on the Internet is based on open source software called OpenSSL. On Monday, April 7, they announced, through this site, that an important security bug was detected. This hole in the encryption system would allow a third party to intercept part of the messages sent via SSL, and, to make matters worse, the problem has existed for about 2 years.
Heartbleed It works like this: the SSL standard includes an option, commonly called “pulse”, which allows a computer on one side of the SSL (yours or the server itself) to send a short message, a “token” to verify that, on the other side of the communication, the connection is online. The computer that receives this signal says "here I am", sending the corresponding response message. Computer researchers found that when sending a specifically crafted message, the response may contain bits of information from the server's RAM.
For the geeks: you can find a more specific English explanation of how this works here.
Is it really that serious?
Yes. There can be an infinity of sensitive information in the memory of a server; for example, access passwords.
Who discovered the bug?
Apparently the bug was discovered by independent researchers from a security company called Codenomicon, and corroborated by Google. To minimize the impact of the issue, we worked with the OpenSSL team to resolve it immediately, prior to public announcement.
How to protect yourself from HeartBleed?
If you have your site hosted with us, our entire platform was updated, so you don't need to do anything. If you want to confirm if your site is vulnerable or not, you can use this online tool.
In case of hosting on a server with cPanel, these are the steps involved via SSH while logged in as root:
- yum update openssl
- /scripts/upcp --force
- /etc/init.d/cpanel restart
- service httpd stop
- From the WHM process manager, kill any httpd process
- service httpd start
- Use the test in https://filippo.io/Heartbleed/. If your site is still vulnerable, use EasyApache to recompile Apache and try again.
We are Duplika
Give your site the hosting it deserves