Summary
The Heartbleed bug (http://en.wikipedia.org/wiki/Heartbleed_bug) is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1.f.
This vulnerability allows an attacker to read chunks of memory from servers and clients that connect using SSL through a flaw in OpenSSL's implementation of the heartbeat extension.
OpenSSL provides critical functionality in the internet ecosystem, and therefore vulnerabilities, such as Heartbleed, have a significant impact on digital communications and their integrity.
What does this mean for Apexhost clients?
Apexhost has scanned and checked all its web servers for the vunerability and we are confident that none of our servers are vulnerable. However we can not control software installed/setup by clients on thier own servers.
How do I check if my server is protected?
Essentially, there are three ways you can verify if your server is protected:
1) You can open a support ticket with us.
2) You can leverage a third party scanning tool via the web.
Below are three such sites that the community deems reputable and trustworthy. You simply enter your website and it will let you know:
3) You can run a scanning tool locally on your server. One such tool is:
https://github.com/n8whnp/ssltest-stls/blob/master/ssltest-stls.py
2) You can leverage a third party scanning tool via the web.
Below are three such sites that the community deems reputable and trustworthy. You simply enter your website and it will let you know:
3) You can run a scanning tool locally on your server. One such tool is:
https://github.com/n8whnp/ssltest-stls/blob/master/ssltest-stls.py
What do I do if my server is not protected?
Contact Apexhost immediately! They will have the technical expertise to update the OpenSSL libraries on your server to protect your SSL communications going forward.
Once I have patched my server, is there anything else I need to do?
Due to the nature of the vulnerability it is not possible to immediately know what information, including private keys, passwords, or session ID's, may have been compromised. Attacks that leverage the Heartbleed bug occur very early in an information exchange process, before a full connection has been made, and thus leaves no log history that an attack has occurred.
If you have purchased SSL certificates directly from Apexhost or resell SSL certificates through Apexhost and wish to regenerate new SSL certificates we can do so at no charge from Geotrust. You would only need to do this if your test result fails.
How has Apexhost servers and my account been affected by Heartbleed?
The Apexhost website, our public servers, and the Apexhost.com.au SSL certificate end point were not vulnerable to the Heartbleed bug when it was publicly disclosed on April 7th 2014.
Any secure communication with our servers, such as logging into the clients area, would not be affected by any attacks following the public disclosure of the Heartbleed bug.
The Heartbleed bug has had a profound impact on the transmission of secure data throughout the Internet. If you have poor passwords or passwords like names/words etc they can be easily broken and should be replaced with a strong password. A strong passowrd is one that has numbers, letters, upper case and lower case and at least one special character like %^&*+ for example. A poor password example would be Pa$$w0rd
Apexhost
Friday, April 11, 2014