Security Researchers have discovered a very serious vulnerability in the OpenSSL library that is used to power HTTPS on most websites. Many news sources are now covering the story, and we recommend reading their articles to understand the scope of what is happening and the impact of the threat:
- Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
- Scramble to fix huge ‘heartbleed’ security bug
To summarize: It is big. It allows an attacker to extract information that was supposed to be private, including SSL private keys themselves. ArsTechnica explains it well:
The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there’s no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.
The Tor team summarizes their recommendation by saying, “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”.
What Should I do as a WebMaster?
If you own a website, you must do your part and patch your operating system. If it is a dedicated server, it is your responsibility. If you are on a shared hosting platform, contact your hosting provider to remind them to update their servers. To update your server with the patch follow these step by step directions:
1- Check if your site is vulnerable
We first recommend that you check your site on this page to see if it is vulnerable. If it is, keep reading to see what you need to do.
2a- Patching Ubuntu/Debian dedicated servers
If you run Ubuntu or Debian on a VPS or dedicated server, you will likely need to patch it yourself. A quick way to do that is by updating all packages on your operating system with the following command:
sudo apt-get update
sudo apt-get upgrade
Then restart Apache.
2b- Patching RedHat/CentOS/Fedora and most cPanel dedicated servers
If you run any RedHat-based server, you can patch your server by running:
Once all packages are updated, you should see inside /var/log/yum.log that OpenSSL was fixed:
# tail /var/log/yum.log |grep ssl
Apr 08 03:49:26 Updated: openssl-1.0.1e-16.el6_5.7.x86_64
Apr 08 03:49:27 Updated: openssl-devel-1.0.1e-16.el6_5.7.x86_64
Once that is done, you need to restart Apache for the fix to take effect.
2c- Other servers
If you are on a shared host, you can’t do anything. You’ll need to contact your hosting company and wait for them to run the patch for you.
If you are using any other Linux (or BSD) distribution on a dedicated server, you need to follow their steps to update OpenSSL.
3- Restart Apache
Do not forget to restart Apache (or Nginx). We are seeing many patched servers still vulnerable because they forgot this simple step.
4- Generate new certificates
This vulnerability was just disclosed a day ago, but it is possible that a malicious party has known about it for longer than that. If you run a popular web site or take confidential information, you might want to generate new certificates and encryption keys just to be on the safe side.
CloudProxy users Protected
If your site is behind our CloudProxy web site firewall, you are already protected against this and any exterior threat. Anyone can sign up for it, regardless of host or CMS and get their sites protected in just a few minutes.