Heartbleed or CVE-2014-0160

By gozen Linux, Security 0 Comments

A security flaw that has been discovered the past couple of days has been keeping us busy and apparently not only GoZEN Host administrators but administrators all over the world suffer from this because of the Heartbleed or CVE-2013-0160 bug.

So let’s see what’s the status of this situation.

What’s Heartbleed?

It’s a vulnerability in the way your browser talks to a website over an encrypted channel. An attacker could theoretically take advantage of the bug to unravel the secure channels used by banks, e-commerce sites and other sensitive locations to steal passwords and other sensitive information.

In other words Heartbleed is a flaw in the OpenSSL implementation of the basic cryptographic protocol that secures Web communications, known as SSL.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names, and passwords of the users and the actual content. This allows attackers to steal data directly from the services and users and to impersonate services and users.

What also makes this problem even scarier is the fact that this Vulnerability is there (not known but it was there) since 2012, yes you heard me it was there since 2012 and only got known to everyone (not sure about the hackers) since Monday.

Here at GoZEN Host we started patching our servers and reissuing SSL certificates as soon as all that came out and we feel that no sensitive data has been stolen, but we urge our customers to change all their passwords just in case.

At this point i would like to repeat myself once more about the importance of a good secure password that you keep changing periodically, there’s nothing more secure than a password that you change quite often and you make sure it’s difficult enough for anyone to guess.