A critical vulnerability nicknamed “Heartbleed” was discovered in OpenSSL, the most popular SSL module used on Linux / cPanel servers. This exploit allows a third party to steal information that would otherwise be secured and encrypted with the SSL/TLS protocol, and to steal the private keys from the certificate pair itself.
Here’s a great site where you can learn more about the vulnerability: heartbleed.com
We’ve implemented updates in all areas where our systems were using affected versions of OpenSSL, and we are following best practices. We have also re-keyed all certificates on our web servers.
- This is not a vulnerability with SSL/TLS or SSLs.com.
- SSL/TLS is not broken, nor are the digital certificates issued by Comodo (now Sectigo) through SSLs.com.
- Users of OpenSSL versions 1.0.1 through 1.0.1f with the heartbeat extension enabled are affected.
- OpenSSL version 1.0.1g addresses the vulnerability, as well as OpenSSL instances compiled without the heartbeat extension.
How does this impact SSLs.com customers?
First of all, if you are not using OpenSSL on your servers, you are not affected.
If you do use OpenSSL, we strongly advise the following:
- Identify which servers are running OpenSSL (versions 1.0.1 through 1.0.1f are affected).
- Update to the latest patched version of the software (1.1.1b), or recompile OpenSSL without the heartbeat extension, if applicable.
- Reissue any SSL certificates on affected web servers after moving to a patched version of OpenSSL.
- Test your SSL installations: https://www.ssllabs.com/ssltest/
- Revoke any certificates that were replaced. Please revoke AFTER the reissue has been completed and you have successfully installed the new certificate on your web server(s).
- Consider resetting end-user passwords that may have been visible in a compromised server memory.
How to Reissue and Revoke Certificates at SSLs.com
Once the certificate is reissued and successfully installed, the original certificate (the one that could be compromised) must be revoked, so that attackers can’t use it to impersonate you.