9 Apr

2014

SSL HeartBleed Vulnerability Patched

heartbleed1

As some of you already know, a major vulnerability in some versions of the OpenSSL software libraries was announced two days ago. It got the fancy name “HeartBleed” and in short, allows anyone on the Internet to read the server memory protected by the vulnerable versions of the OpenSSL software and hijack your SSL’s private key. The interesting information is that not all old versions of the software are affected and there are some older and some newer ones that have it.

As you should expect from SiteGround, we did not lose any time taking the proper actions under these circumstances and we immediately started patching the vulnerability. On the day the bug was announced, we reviewed how many and which of our servers were affected. Luckily, that weren’t so many servers. As of yesterday, the OpenSSL libraries on those servers are updated to the newest version, which was released with a patch for the HeartBleed vulnerability.

However, as we like to be extra cautious, we decided to take some extra steps to guarantee your comfort and security. It turns out that the updated OpenSSL software will not protect you if, for example, your certificate’s private key was already stolen by hackers. We are NOT aware of any such cases on our servers, however, as we take security very seriously, we decided to re-issue with new private keys all certificates that were installed on the servers with previously vulnerable OpenSSL libraries versions.

We waited for our SSL provider to confirm that they have also patched their software against the same vulnerability so we could begin the reissuance. That was confirmed today and we have now started reissuing the SSLs.

No actions are expected from our customers as the reissuance will be done automatically on a server level and will not affect your website in any way. We will send an email to all customers whose certificates were reissued once we complete the process.

Thank you for trusting us on this matter!

Author: Tenko Nikolov

The SiteGround Mastermind

For the last few years Tenko Nikolov has been one of the masterminds behind the success of SiteGround. He has come up with multiple successful strategies for overcoming technical problems and has achieved real business results for SiteGround. His vision and skills have made SiteGround a leading host in terms of technology and platform reliability.

Comments (15):

  1. Reginald says:

    Great to hear! Glad you guys took the extra step.

    Keep it up *from a happy customer* :D

  2. lily says:

    Great to hear new knowledge from you. Thanks!

  3. Jayme says:

    Thank you for this update. This news, and the transparency with which Siteground is working, is very much appreciated. It was also great to see you posting updates via your Twitter account.

  4. Keith Davis says:

    My host has just updated and good to see that you guys are on the ball.

    I wonder if all hosts are as quick as you guys!

  5. Jonathan says:

    So comforting to hear this

  6. VA says:

    Should we modify our CPanel, Siteground and application passwords?
    Info is around also about possibly stolen passwords.
    Waiting for reply, thanks!

    • Marina says:

      Hello VA,

      Based on the information we have about the vulnerability, it is highly unlikely that it was ever exploited by hackers on our servers. It was responsibly disclosed and became public after a security patch was released for it.

      We patched few hours later, hardly giving time to anyone take advantage of the vulnerability. That is why we will not be forcing large scale password change.

      However, it’s always a good general recommendation to update your passwords frequently and you may use the case as a great motivation to do so.

      Regards!

      • Henry says:

        Although it was responsibly disclosed, there were at least two teams that discovered it around the same time. There are also rampant rumors that there were leaks about the issue prior to the patch release.

        SiteGround’s prompt response is worthy of kudos.

        Out of an abundance of caution, I would suggest that you regenerate new self-signed certificates on your servers, also.

        Ideally the old public key would be added to a certificate revocation list (CRL). Admittedly support for that is dodgy on the Internet.

  7. Patti says:

    I am SO glad to be hosting with you!! I knew you guys would be on top of this. My site is SSL so I was worried at first. Much appreciated!!

  8. Andre Bellafronte says:

    really good to hear. Transparency and honesty of Siteground! I hope not receive the email for you lol

  9. Big Fan Yan says:

    Great work guys! Its good to be in the loop even if I don’t get all the jargon.

  10. Marina says:

    We have completed the reissuance of the SSL certificates that were installed on servers with previously vulnerable OpenSSL version. It took us longer than expected as due to a bug in the system of our SSL provider, we had to reissue the new private keys twice. All sites should function normally and no action is required from clients. An email is sent to all affected clients.

  11. James Doolin says:

    Thank you, confirms my well placed confidence in Siteground.

  12. Bruce Wilson says:

    Recently moved to SiteGround and this was so refreshing to see the quickness with attacking the problem and most important the transparency of what you were doing and letting us know immediately.

  13. […] what WP Engine and SiteGround have to say about their responses to the Heart Bleed […]