“HeartBleed” bug in OpenSSL could affect more than 2/3 of the internet

heartbleedOpenSSL announced on Monday, April 7, 2014 that there was a bug in the heartbeat extension of several versions of OpenSSL that allow an attacker to reveal up to 64k of memory. While that may seem like a relatively small amount of memory to store useful information, the vulnerability can be repeatedly exploited in order to eventually reveal private/secure information, such as a host’s private key, which defeats the purpose of the encryption, since it would allow anything passing through a secure connection to be immediately decrypted. The Washington Post estimates that more than half a million websites are vulnerable. QuadraNet recommends that everyone run a check against their server, using a tool such as the one available at https://www.ssllabs.com/ssltest/, and upgrades to the latest version of OpenSSL (1.0.1g). If for some reason upgrading isn’t possible, OpenSSL suggests recompiling with the -DOPENSSL_NO_HEARTBEATS flag, which will remove the vulnerable heartbeats extension. Users finding that one of their servers is vulnerable should immediately revoke all keys and regenerate any keys/certificates after upgrading to the latest version of OpenSSL.

If you have a managed dedicated server with QuadraNet, we’ll be happy to help handle this entire process for you – simply open a ticket with support@quadranet.com and we’ll begin working on it immediately. If you have a self-managed server but have questions about this vulnerability, QuadraNet’s 24x7x365 support team will be happy to help answer any questions you may have as well.

Advisory: https://www.openssl.org/news/secadv_20140407.txt

Latest OpenSSL Version: http://www.openssl.org/source/

** Note: QuadraNet’s management portal (https://manage.quadranet.com) was NOT impacted by Heartbleed and there is no reason to change passwords, etc. Please don’t hesitate to contact us by submitting a ticket to support@quadranet.com if you have any questions about this.