Openssl Vulnerability – Heartbleed Bug

What is it?

Chances are, you’ve already heard about the recent discovery of what’s being called the “Heartbleed” bug in OpenSSL. Basically, this is a vulnerability that existed in OpenSSL for around 2+ years. The vulnerability caused by a gap where encrypted information could potentially be leaked out to hackers. It is important to note that this is NOT due to a flaw in SSL, but rather the platform and implementation of the latest batch of OpenSSL updates.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Given the widespread use of OpenSSL on the internet as the implementation for SSL, and the fact that the bug has been in the wild for years, this means that it is possible that a lot of sensitive information may have been stolen by hackers.

Am I affected?

For servers running RHEL/CentOS 5, the version of OpenSSL used is not affected. For servers running RHEL/CentOS 6, the bug was patched the same day the bug was made public. For all servers managed and hosted with us, we have automatically patched the bug the day it was made public on affected servers. However this does mean that you are not vulnerable to the issue. The key used for your SSL certificates may have already been stolen in the time the bug is in the wild.

For safety, if you are running RHEL/CentOS 6, you are recommended to rekey your domain and request for a reissue of the certificate. If you ordered the certificate from us, we will be regenerating the keys and reissuing the certificates automatically as well.

Personally if you have changed your passwords on any affected sites over the past 2 years, you are encouraged to confirm that the affected site have updated their certificates and change your passwords again.