As many of you are now aware, yesterday the CVE-2014-0160 vulnerability, better known as the “Heartbleed bug”, in the OpenSSL Project was disclosed. This is a serious vulnerability that will affect many websites and applications on the internet. As the researchers have said:
“Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”
What have we done?
As soon as this vulnerability was disclosed to us, we immediately began the process of patching our internal systems to use the latest secured version of OpenSSL. By noon today, all our infrastructure was updated and our certificates reissued, securing our internal and external facing assets and revoking our old certs.
What should you do?
We advise our customers to follow the steps that we have taken for our own systems (where applicable) to secure your own website. At this point, we have no reason to believe that any credentials have been compromised, but to be on the safe side we recommend you change your cpanel hosting account password as well as at our billing area . Using the same password elsewhere (ill-advised in any case) may lead to your password being rendered unsafe again.
We also recommend you make a few precautions as a part of your normal workflow:
- Use a password manager that allows you to create strong passwords that are unique for every service you use.
- Revoke your SSL certificate if you use ssl site enable.