This morning some of the researchers which were responsible for finding the Heartbleed OpenSSL bug announced that after weeks of testing they have not yet been able to intercept SSL Private Keys utilizing the Heartbleed exploit and have reason to believe it may be impossible. While that would be good news as would mean you do not need to worry about revoking and re-generating/re-keying your SSL Certificates, it is not yet for sure as they mentioned. It would still not be a bad idea to revoke and re-generate your SSL Certificates and you can even take the opportunity to enhance its security by using a 4096 bit key (instead of the typical 2048) and even a SHA256 hash (instead of the typical SHA1) as are now widely supported among modern browsers. We will continue to provide free assistance in revoking and regenerating your SSL Certificates with us no matter the case, if you are interested simply open a ticket or email firstname.lastname@example.org to do the same.
For more information on the Heartbleed update, see the announcement from CloudFlare @ http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
Furthermore, after the circumstances this week we have sped up and completed a security upgrade we were planning to do in May - all of our internal servers including our website have utilized SSL Cipher technology referred to as Perfect Forward Secrecy (PFS), and we have now carried that over to ALL of our servers including those which cover our Hosting users and by this evening all servers under our management will be as well. So what's PFS? Well first you should understand the risk: a malicious attacker can eavesdrop on all your traffic (albeit encrypted) and store it, and then say something like Heartbleed comes up where your SSL Private Keys are vulnerable to interception (even though it may not be as we are now finding out) OR that your Private Key just becomes compromised; that attacker can then take ALL of the stored encrypted communication from the past, however long, and decrypt it ALL with your Private Key. So back to PFS, basically 'Perfect Forward Secrecy' is what it says (Forward Secrecy being the key words) aka today's encrypted information is kept safe even if tomorrow your Private Key is compromised. Most web servers do not utilize PFS because it used to be much more difficult to achieve however with today's browsers and technology it has become more compatible and is finally starting to be more widely utilized as it should be.
For a brief rundown of Perfect Forward Secrecy you can see http://www.perfectforwardsecrecy.com/
Lastly, during the revocation and regeneration of our own Network and Website SSL Certificates this week we, as suggested above, upgraded our own SSL keys to 4096 bit (the maximum) as well as upgraded to a SHA256 hash which together is a vast improvement to the strength of our encryption utilized when you are on our Website, your Hosting Control Panels, Webmail, etc. when compared to the default and standard of 2048bit/SHA1. If you have any questions on PFS or the SSL Upgrades do not hesitate to contact us simply by opening a ticket or emailing us as mentioned above.
Hopefully this news comes has a little bit of better news compared to the past few days, however this does not mean the Heartbleed bug is any less worrisome - while it is a lot better if our SSL Private Keys are safe that is still not completely confirmed and even if so the issue of leaking credentials so easily and so readily available while being undetectable is a very serious exploit and still requires everyone to take action.
Friday, April 11, 2014