It’s been a while since there was a computer security bug that we all had to worry about. Unfortunately, it seems like we may all have been facing one for two years and not even realized it.
Earlier this week, security researchers announced a security flaw in OpenSSL, a popular data encryption standard, that gives hackers who know about it the ability to extract massive amount of data from the services that we use every day and assume are mostly secure.
This isn’t simply a bug in some app that can quickly be updated – the vulnerability is in on the machines that power services that transmit secure information, like Facebook and Gmail.
Read on to know more about how this affects you as a ResellerClub Reseller.
Steps that we are taking:
- We have updated the OpenSSL packages installed on all our Linux shared hosting servers
- At 05:30 hrs (GMT) on 11 Apr, 2014 Orderbox will face a brief downtime of upto 5 minutes to allow us to make some security upgrades
- During this 5 minute period, no orders on Supersite or API will be processed and any existing sessions on the Control Panel will be logged out, requiring you to login again
Steps that you have to take:
- The Heartbleed bug makes it practically impossible to detect history of abuse, but to be on the safer side, we strongly recommend that you change your Reseller Account passwords and also announce to your customers that they should change their passwords.
Hosting and/or SSL Certificate customers with Resellerclub:
- If you have purchased both hosting and SSL Certificates for an installation from ResellerClub, follow steps a and c below
- If you have purchased hosting from ResellerClub and have SSL enabled on it with an SSL Certificate from a 3rd party vendor for your installation, follow steps b and c below
- If you have purchased SSL Certificated from ResellerClub but host with a 3rd party provider, follow step a below and reinstall the Certificate according to the instructions of your hosting provider
- You will need to re-issue the SSL certificate from the Orderbox control panel by referring the steps mentioned in the following KB article : http://manage.resellerclub.com/kb/servlet/KBServlet/faq1094.html
- You will need to contact your vendor to re-issue the SSL certificate. Once the SSL certificates are re-issued, you need to install the new certificates under the hosting packages.
- You will need to install the reissued SSL Certificate by following the instructions relevant to you from the below options:For cPanel:
http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CpanelDocs/ActivateSSLOnYourWebsiteFor Plesk :-
- In case you use the ResellerClub API, we strongly suggest that you regenerate your API key by logging into your Control Panel and navigating to Settings >> API and clicking on ‘Regenerate’ icon to get your revised API key. Update your API calls to use the new key.
If you resell hosting through us, you can use the force password reset option in WHM to ensure that all your hosting customers change their passwords
What is the Heartbleed bug?
Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by the majority of sites on the web that need to transmit data users want to keep secure. It basically gives you a “secure line” when you’re sending an email or chatting on IM.
Encryption works by making it so that data being sent looks like nonsense to anyone but the the intended recipient.
Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, so it will send out what’s known as a “heartbeat,” a small packet of data that asks for a response.
Due to a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end of a connection into sending over data stored in its memory.
How bad is that?
It’s really bad. Web servers can keep a lot of information in their active memory, including user names, passwords, and even the content that user have uploaded to a service. But worse even than that, the flaw has made it possible for hackers to steal encryption keys, the codes used to turn gibberish encrypted data into readable information.
With encryption keys, hackers can intercept encrypted data moving to and from a site’s servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.
Additional details can be checked at:
If you have any doubts or queries, please let us know in the comments below!