Heartbleed Bug OpenSSL Vulnerability

Why am I losing Google rank
April 3, 2014
Google rolls out Panda 4.0 updates
May 22, 2014

Last week, a very serious bug in OpenSSL was disclosed.  OpenSSL, a set of open source tools to handle secure communication, is used by most Internet websites.  This bug, nicknamed Heartbleed, allowed an attacker to read sensitive information from vulnerable servers and possibly steal things like passwords, cookies, and encryption keys.

Due to the nature of the vulnerability it is not possible to immediately know what information, including private keys, passwords, or session ID’s, may have been compromised. Attacks that leverage the Heartbleed bug occur very early in an information exchange process, before a full connection has been made, and thus leaves no log history that an attack has occurred.

Were Net Solutions servers vulnerable to Heartbleed?

Yes. Net Solutions servers were running the latest version of OpenSSL, which was vulnerable. We generally run the latest version of OpenSSL as directed by the vendors of the software. It also enables us to achieve performance enhancements, such as SPDY, for our users. The non-vulnerable versions of OpenSSL were over two years old.

Has Net Solutions fixed the issue?

Yes. We made a full assessment of all the servers and systems and updated and patched all of our servers within a few hours of the public disclosure.

Has Net Solutions replaced all SSL certificates and private keys?

Yes. Out of an abundance of caution, we have replaced all of our SSL certificates of our systems, along with regenerating all of the associated private keys. In addition, our servers support forward secrecy  so that even if our private keys were compromised, they could not have been used to decrypt future encrypted traffic.

If you have purchased SSL certificates via Net Solutions it is recommended that you contact the SSL provider to reissue your certificates. This must be performed by the owner of the certificate as proof of identification will be required during the reset process.

What should cPanel Hosting Customers do?

We would like to reassure customers all cPanel shared hosting servers are safe from this vulnerability as our administrators had immediately taken action to patch all of our servers which were affected by the vulnerability.

However, since the Heartbleed bug has had a profound impact on the transmission of secure data throughout the Internet we are encouraging our customers to reset their cPanel passwords via the Client Area at https://clients.netsolutions.net.au (under Services -> My Services -> View Details -> Change Password) at their earliest convenience.

As a matter of common password maintenance we are also encouraging our customers to reset their FTP and Mailbox passwords for each user, via cPanel.
Please remember to always make your passwords complex, unique, random, and periodically rotate them.

What should VPS Hosting Customers do?

Dedicated server and VPS customers must taken immediate action to update to OpenSSL 1.0.1g which resolves the vulnerability known as Heartbleed.

Please note that:

OpenSSL 1.0.1 through to 1.0.1f (inclusive) IS vulnerable
OpenSSL 1.0.1g IS NOT vulnerable
OpenSSL 1.0.0 IS NOT vulnerable
OpenSSL 0.9.8 IS NOT vulnerable

To check whether your server is vulnerable, you can check online at http://filippo.io/Heartbleed

Customers that are unable to do this themselves or need our assistance are requested to submit a ticket as soon as possible so our engineers can assess and apply the patch on your behalf.

Will you be forcing me to reset my clients.netsolutions.net.au password?

At this time, we will not be forcing you to change your password. We are however encouraging our customers to reset their passwords at (https://clients.netsolutions.net.au) at their earliest convenience as a matter of common password maintenance.

Should I change my passwords on other systems?

Since the Heartbleed bug has had a profound impact on the transmission of secure data throughout the Internet we are encouraging our customers to reset their passwords on all known systems at their earliest convenience as a matter of common password maintenance. Please remember to always make your passwords complex, unique, random, and periodically rotate them.

Tony Sirico
Tony Sirico
Tony has been developing software since 1980 in many programming languages. Today he focuses on Internet Security and Linux based operating systems. He is a LAMP (Linux, Apache, MySQL and PHP) and Hosting expert.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Pin It on Pinterest

Share This