Preventing heartache from Heartbleed!
We take website security very seriously and you should too! Recently, a group of researchers identified a vulnerability known as ‘Heartbleed’, which exposed a problem with OpenSSL on Web servers world-wide. For those who don’t know, it’s the encryption technology that keeps data secure, so you can understand why it is causing some heartache!
You will be pleased to know we have checked out all our servers, but we wanted to draw your attention to the problem, especially for those who are running their own servers or virtual machines and who have installed OpenSSL and used it with a self-generated or purchased key.
If you have used OpenSSL on your server, and in particular used it to create or install an SSL key, then we strongly suggest that you update to the latest version as soon as possible, regenerate your keys, and refresh your passwords – just to be on the safe side.
To check if your server is running an unpatched version of OpenSSL you simply need to log-in to the server and check what version you are using with this command:
openssl version -a
What versions of the OpenSSL are affected?
Status of different versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
- CloudLinux OpenSSL 1.0.1e-16el6_5.7 is NOT vulnerable
To update to the latest version, you should use the following commands:
| CentOS | yum check-update yum –y update openssl |
|
| Ubuntu | sudo apt-get update sudo apt-get install openssl |
|
| Debian | sudo apt-get update sudo apt-get install openssl |
|
| Fedora | sudo yum –y install openssl |
Once you have completed the update, you can check the build date of OpenSSL again to make sure it now has a build date of April 7th 2014 or later.
Once you have updated OpenSSL you will probably want to re-generate your secure keys and revoke ones previously used. New SSL certificates should also be generated or purchased depending upon how you originally obtained them. To finish this, please remember to restart your services.
While this vulnerability has only been recently openly discovered, it is not clear how long it has been known about. It is good practice to change your passwords regularly; we would always recommend you change passwords after a security problem of this size has been announced.