Urgent security advisory: #Heartbleed – openSSL Vulnerability

This is an urgent security advisory regarding an openSSL security vulnerability CVE-2014-0160, which was revealed today to be a catastrophic, remotely exploitable security vulnerability affecting all applications utilizing openSSL.

The vulnerability was announced via the domain http://www.heartbleed.com

Which versions are affected is unclear:

  • The Heartbleed website says everything above 1.0.0+
  • We also read an unconfirmed report that it was 1.0.1 through 1.0.1f (inclusive)
  • The openSSL advisory dated today states “Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including

    1.0.1f and 1.0.2-beta1”

(To check the openSSL version from your unix shell type: $ openssl version)

The following analysis has been posted regarding the bug:


An online tool that can diagnose if your web server is at risk is online here:



If you are running a vulnerable version:

  • Upgrade your openSSL libs
  • restart any applications that use openSSL

But wait, there’s still more…

You then have to make a decision on whether or not to treat your existing keys as already compromised (because if they were, there is no way you would know it) And if you feel the risk it too great: you must re-issue your SSL certs after generating new private keys and using them to generate new CSRs.

Unfortunately, this is the same thing as buying or renewing your SSL cert(s).

At this point we do not know if the certificate issuers will do something about this unprecedented situation, such as allow free re-issues or offer some kind of price break. But

If you are running an ecommerce website or the security of your customer data is paramount, you may want to do the same thing we did here at easyDNS tonight, which was to go ahead and purchase new SSL certs (after upgrading our openSSL libs and regenerating our keys & CSRs).

Update: Free Cert Re-Issues

It has been pointed out (immediately after emailing this alert to all our SSL customers) that our supplier, GeoTrust, allows free certificate re-issues as long as the info used to generate your CSR hasn’t changed.

Go here: http://www.geotrust.com/support/ssl-certificate-reissuance/

In any case, check with your systems team, assess your vulnerability and keep your children indoors. This is pandemonium.

4 thoughts on “Urgent security advisory: #Heartbleed – openSSL Vulnerability”

  1. Eric Teutsch says:

    Can you please blog on whether (and when) your customers need to change passwords for easydns.com, easypress.ca and easymail.ca (and possibly other services)

    • Mark Jeftovic says:

      Hi Eric, we’re going to post further on this, but our basic stance is this: it is never a bad time to change your passwords.

      You should also look at implementing other security measures on any key vendors that support it, namely

      * 2-factor authentication

      * Access Control Lists (ACLs)

      * Event Notifications (logins, changes, etc)

  2. Soren says:

    Many other websites have put up an announcement as to whether they are affected or not — it would not be too much to put down a message as to

    1) if you are using openssl or another ssl package

    2) if you are using openssl which version (1.0.0 is not affected).

    Easydns is not listed in this log of sites;


    so we cannot find out ourselves.

    • Mark Jeftovic says:

      Hi Soren, I guess I assumed it was clear that when I said we upgraded our libs and re-issued our own certs that meant we were not vulnerable.

      We were using openSSL but have patched and re-issued all affected servers and SSL certs.

      We will probably do a follow up post around this with some recommendations for users (password resets, 2-factor auth, etc)

Leave a Reply

Your email address will not be published. Required fields are marked *