A bug named Heartbleed has been recently discovered which is a serious encryption flaw and can be exploited to steal private data of users.
It is said to be affecting almost two-third of web servers and can be considered nothing short of catastrophic from a security perspective. According to the stats provided by Netcraft, the Apache and Nginx web server software uses the OpenSSL which has the bug which comprises of an active market share of over 66%. However, not all of these servers are running the vulnerable version of the cryptographic software.
What exactly is the Heartbleed bug?
Websites use encryption for protecting their data usually in the form of SSL certificates. Open SSL is the open source cryptographic library which millions of websites rely on. When you see a padlock in your browser you assume the website is secure but considering this vulnerability this may not be the case, and for up to 2 years into the past.
The Heartbleed bug is vulnerability in the OpenSSL 1.0.1 version which uses the heartbeat functionality (which is now being exploited). CVE-2014-0160 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names.
Technically speaking, the bug is in the TLS/ DTLS (Transport Layer Security) Protocol’s heartbeat extension which is implemented by OpenSSL. It is not a design flaw but an implementation problem.
How can we protect ourselves?
OpenSSL’s security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.
Is eUKhost safe from this?
All the servers which had the vulnerable version have been patched with the latest version of the OpenSSL 1.0.1g version.
Customers can use this free SSL Configuration Checker tool to test their websites for the Heartbleed vulnerability.
We would also recommend that you change your billing password and the cPanel/WHM password for better security.
We have made the necessary upgrades to our servers and all cPanel shared hosting servers are safe from this vulnerability. However, Dedicated Server and VPS customers must take immediate action to update to OpenSSL 1.0.1g to fix this.
If you feel your website might be affected and need assistance with fixing this then you can raise a support ticket where one of our senior technicians will apply the patch for you. You can get continuous updates about this and participate in our HeartBleed forum discussion for more information.
- Are all-in-one website publishing and hosting services more attractive to individuals or businesses? - May 28, 2015
- The Basics of having an Awesome Website. - September 4, 2014
- 6 reasons to become eUKhost Affiliate- Infographic - July 22, 2014