SSL Vulnerability – Heartbleed Bug

Heading the news in IT today was not Microsoft’s final security update for Windows XP, but the announcement of a severe bug in the OpenSSL library. OpenSSL is used by many Internet servers to secure websites via SSL. The bug has left many servers vulnerable to exposing sensitive information such as user login.

This is a very significant bug that affects many secured websites, including some banks, webmail services and other web-based services. It should be noted that the bug does not lie with the SSL protocol itself, but with the implementation of the protocol by certain version of OpenSSL.

We have run an audit on all our servers today and found that some of our Linux servers were using vulnerable versions of OpenSSL. We have already taken action and patched the OpenSSL libraries on all the affected servers.

While unlikely that any of our servers or hosted websites would have been the target of attackers, we will err on the safe side and reissue all relevant SSL certificates and revoke the old ones. These include certificates used for cPanel, WebMail, our Client Portal and secure websites of clients. The replacement of the certificates will be a systematic process that will take us a couple of days to complete.

You would like to read more about the vulnerability at http://heartbleed.com/. Interestingly, there is also a test page available at http://filippo.io/Heartbleed/.