Apr10
Heartbleed

What To Do About Heartbleed

Posted by Sarah Holt

The word Heartbleed has been all over the headlines recently. Despite its grim name, though, Heartbleed needn’t give you a heart attack.

Basically, HeartBleed is a bug that’s been developed to take advantage of vulnerabilities in certain versions of OpenSSL software. OpenSSL is used by servers, websites and apps to encrypt the sensitive data that they receive and give out. The Heartbleed bug has found a way of accessing some of this encrypted data.

But there’s no need to stress about it. Firstly, not every server or site has been infected by Heartbleed. We’ve checked our Midphase servers and they have been patched, which means they don’t have a vulnerable version of OpenSSL on them.

Of course, there’s always things you can do to be extra-safe. If you’re using our web hosting or website builder service, you can sleep easy because we’ve patched your products. However, we advise you to up your security anyway by refreshing all the passwords you use with Midphase.

If you run your own server or virtual machine with Midphase, and you have installed OpenSSL yourself, for use with a self-generated or purchased key, then we suggest you update to the latest version of OpenSSL for real peace of mind.

Step 1

Take a look to see if your server is running an unpatched version of OpenSSL. To do this, just log-in to your server and use the following command to see which version you are using.

openssl version -a

 

The following version is vulnerable…

OpenSSL 1.0.1 through 1.0.1f (inclusive)

While these versions are not…

OpenSSL 1.0.1g

 

OpenSSL 1.0.0 branch

 

OpenSSL 0.9.8 branch

 

CloudLinux OpenSSL 1.0.1e-16el6_5.7

Step 2

If you discover you are using a vulnerable version, you can update using the following commands.

 

CentOS

yum check-update

yum –y update openssl

Ubuntu

sudo apt-get update

sudo apt-get install openssl

Debian

sudo apt-get update

sudo apt-get install openssl

Fedora

sudo yum –y install openssl

 

Step 3

Now you need to re-check the build date of the OpenSSL, to make sure the update has worked. It should say a date that’s April 7 2014 or later.

Step 4

Once you’re sure the update has gone through, you’ll need to regenerate your secure keys and invalidate the ones you were using before. Once you’ve done this, you can restart your services and carry on as normal.

If you like it, share it!

No Comments

Comments are closed.

Stop blending in with the rest of the crowd and start leaving your mark on the web