Everything you consume or send online for the most part, goes through secure pathways. Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data. This defect also has the potential to allow email, chat and other private messaging to be intercepted. Yahoo Mail is the largest and most widely used email service in the world. It is now known that their services were vulnerable to this security defect.
The bug, which is officially referenced as CVE-2014-0160, makes it possible for attackers to recover up to 64 kilobytes of memory from the server or client computer running a vulnerable OpenSSL version.
Servers running secure certificates (SSL) are potentially vulnerable. This is what had me a bit worried. Hill Media Group has many clients running websites that require secure certificates to assure that there is a secure pathway between the data that is being entered into the website and the server. This pathway also protects data being sent back to the user from the server. We require sites that have shopping carts, payment forms or scripts that collect private data to be on pages that are running in SSL mode. This is when you see a website go from http to https. You also often see a padlock or some sort of other icon signifying security.
I am happy to announce that all Hill Media Group clients who host their websites with us are not vulnerable to this critical issue dubbed the Heartbleed Bug.
When it comes to website hosting, we take security very seriously. The last thing we want is data loss for any reason. There are security updates made available all the time. Implementing all of them would be a full time job in itself. Some of these updates come through and are not yet stable. Because of this, we choose to upgrade server software only when stable releases are made available. We also trust internet security professionals who help us manage our servers to make decisions as to when we should run software updates.
We beat the Heartbleed bug simply because we had not yet updated to the version that was susceptible to intrusion using this method. What this means is that all of our clients who host their websites with us are safe and have nothing to worry about.
Keep in mind that there are always potential security holes that open up. The Heartbleed bug received so much attention because it was a hole in a security protocol that pretty much the entire internet uses. After the dust clears from this recent scare, we will be upgrading our servers to the latest stable version of OpenSSL which will jump right over the Heartbleed bug.
If you are not hosting your website with us and would like to check to see if your website is susceptible to this security breach, use this tool: http://filippo.io/Heartbleed/
It is recommended that anyone who is experiencing this issue with their server upgrade to the latest version of OpenSSL. You can do this by contacting your hosting provider. If you manage your own server, you can download the latest version of OpenSSL here.
I would also recommend that you get a new certificate for your domain name. You will have to have the current SSL Certificate revoked so you can have a new one assigned. The reason you would need to do this is because the leak in OpenSSL gave malicious people the ability to grab the Private Key for the certificate. The Private Key is exactly what it sounds like. It’s a key that lets you in the gate.
To be completely honest, I don’t think even the professionals on the subject have any idea what the likelihood of this effecting small websites like what most of us run. Hackers would most likely go after something profitable like banking sites. However, if the server that your website runs on is running this exploitable version of OpenSSL, I think having a new SSL Certificate assigned after the software is updated is not a bad extra insurance measure.
As I write this, the story still continues to unfold. After finding a major issue like this there is much testing to do. Time will tell what the rest of us should do that were unaffected. However, it does serve as a reminder that the internet is not the safest place to put data. This is also why I am reluctant to keep all data in the cloud. I have yet to hear statements from Dropbox and Google Drive, which are two cloud based file storage and sharing platforms whom I use daily.
I hope this helped you understand a bit about what is going on. It is very important that you look into this and also look into the security of the services you use. This affects anything that runs on a server and the entire internet runs on servers. If you are unsure about something, remove the data from it for the time being. Do not put yourself at risk. We are also being advised to change passwords on all websites that we use. At this point there is no way of knowing what data was leaked and what is out there.
Here is a link to the email we sent out clients. It is important to stay up to date on information like this. If you would like to receive our emails, click here.