Just a quick note regarding the OpenSSL vulnerability, also known as “Heartbleed.”
An excerpt from the Heartbleed bug summary , “Bugs in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.”
Without going into great detail, the Heartbleed bug has been in the wild since early 2012. This past week the bug was officially discovered and patched by the global security community.
It is plausible that someone may have maliciously used this bug to intercept your encrypted communications. The likelihood of this is extremely low. This would not have been a random attack. Your hacker would have had to specifically target your domain, as well as have had access to the encrypted data. What I mean by this, is, essentially the hacker in question would have had to have been monitoring the traffic of someone using your domain at the exact time they were connecting via SSL to your website. If you do not have an SSL certificate installed on your domain this entire Heartbleed discussion, in regard to someone compromising your personal data, does not apply to you.
SSL trivia: Renewing or reissuing your SSL certificate will generate new keys, making previously stolen private keys just another random number.
That said, even if your personal website does not use SSL encryption, your web host likely provides SSL (https://) for connecting to their web hosting control panels. In this respect, it would be prudent to ask your web hosting provider whether they have patched vulnerable versions of the OpenSSL software, and will be reissuing new keys for the SSL certificates associated with their customer control panels.
What else should I do as a result of this OpenSSL “Heartbleed” bug announcement?
I recommend taking this opportunity to update “ALL” passwords at all service providers today, whether your provider has updated their SSL keys or not respectively.
I manage a cPanel server for my clients, is there anything else you recommend relating to the OpenSSL “Heartbleed” bug announcement?
Other than following the recommendations for upgrading the OpenSSL libraries, I recommend you consider setting the WHM “Force Password Change” option on your server. See the cPanel WHM Force Password Change Settings documentation for more details.
Other notes and resources relating to the OpenSSL “Heartbleed” bug:
- Alexa Top 10,000 – Websites Vulnerable to the OpenSSL “Heartbleed” Bug
- COMODO SSL Analyzer
- Other OpenSSL bug testing tools: Possible.lv | Filippo.io
- Google mail (Gmail.com) servers have not reissued their own SSL certificates as of April 9, 2014:
Written by Jim Walker, The Hack Repair Guy, +HackRepair, @tvcnet, (619) 479-6637