As you may have heard, a major security vulnerability; dubbed “Heartbleed,” was recently discovered in OpenSSL. OpenSSL enables SSL and TLS encryption, which governs HTTPS—the secure communications between your computer and the servers on the Internet. It is used by about 2/3 of the web servers in the world. This vulnerability was the result of a programming error (or bug) in several versions of OpenSSL.At its worst, Heartbleed allowed potential access to a private key for an SSL certificate as well as the encrypted communication itself.This basically means that any individual with the knowledge and skills required to exploit this vulnerability, had a window to grab your user names, passwords and any private information you may have accessed with practically any of your online services that utilize the affected versions of the OpenSSL toolkit.
Below is an overview of our response to this security vulnerability by Sliqua’s engineering team, and it’s impact on our users.
Enterprise Hosting A single server out of our web hosting fleet, tower.sliqua.com, was vulnerable to the OpenSSL Heartbleed Bug. No users on this server utilize SSL certificates for their websites, and thus aren’t vulnerable to private key exposure. However, as a precaution, this server was immediately patched and services were restarted by Support Engineering on the morning of April 7, when the bug was initially announced. All other servers run a version of OpenSSL that was not vulnerable. No further action is required by users, as no user data was exposed. Clustered Mail After a full system audit, we concluded that no public-facing web servers supporting webmail/administration were exposed. We did, however, find a single SMTP end-point which was intermittently vulnerable. We immediately removed this server from rotation, applied the proper updates and proceeded to insulate all remaining servers from potential exploit. At this time we have no reason to believe any sensitive user information was accessed, however, out of an abundance of caution we recommend that all end users change their email passwords at their earliest convenience. This can be completed through our Webmail interface at https://webmail.sliqua.com All users with local email, and those particularly on falcon.sliqua.com, have no need to reset their passwords as there was no impact. This password reset is only necessary for Clustered Mail users. If you have any questions, don’t hesitate to reach out to us. |
Author: Alexander McMillen
President/CEO of Sliqua, Co-founder of Oceanius Networks, Co-chair CFCC Tech Committee. Tweets publicly at http://twitter.com/amcmillen