What is the Heartbleed bug, and how will it affect my services?

This article relates to your 123 Reg Server running Plesk

This article will explain the Heartbleed security breach, and what it means to you.

Video Script

Title: Heartbleed OpenSSL Bug – What you need to know


Hi there,

You may have recently heard about the Heartbleed bug, so in this video we will explain to you what the bug is and what you can do to protect your online security.

What is the bug? 

The heartbleed bug is a flaw in the OpenSSL module which is typically used with some services to provide SSL encryption between your web browser and the website you are viewing.

So what is SSL?

Well SSL encryption is used on many services including web browsers, email services and even for instant messaging.

It is used to protect all of your passwords, usernames, bank account details and any other personal information which you may send across the internet.

However a serious flaw has been found in some versions of openSSL which could potentially allow a hacker to extract otherwise encrypted data such as usernames and passwords from the target server.

It is important to note that not all services use openSSL to provide SSL encryption, for example clients using Microsoft windows based services are typically unaffected by this bug.

However a vast majority of websites use SSL encryption to ensure that your data is sent safely between the server and your PC, you will know what sites these are by the https: prefix on the address bar.

So basically, the heartbleed bug can allow possible hackers to obtain usernames, passwords and any other personal information which would have usually been protected by SSL.

What is affected?

As Open SSL is used to protect many internet servers and networks, anything from web servers to email servers and virtual private servers using a vulnerable version of open SSL may be affected.

Servers which have been affected have been using what is called a patch in order to attempt to protect and restore the server, and ensure that your information is not vulnerable.

If you have your own self-managed server, you may be affected.

You can use this site to test if your server is vulnerable or not.

To find out how to patch and reboot your server if it is affected, and for information on revoking and reissuing SSL certificates, then please refer back to this article, after watching the video.

What can you do to protect yourself online?

So, you may be affected directly or indirectly by Heartbleed, it is therefore advised that you change your account passwords for your email, social networking sites and any other site which may contain personal information, to help reduce risk.

End title:

For more information and support please visit our support site at www.123-reg.co.uk/support

What is the Heartbleed bug?

Heartbleed compromises webservices using OpenSSL to encrypt sensitive data on their website, meaning that only the service provider and their intended recipients can make sense of it. Many popular services, such as Twitter, Facebook and Gmail, make use of OpenSSL.

The Heartbleed bug means that information sent using this encryption is vulnerable. This means that all data, including the site's content, user passwords, and encryption keys, sent across the connection are viable targets for attack.

While a fix to counteract this bug is available, it will have to be performed by the Web Admin of each server.

This bug fix only applies to Self-Managed clients. Managed clients will have their server patched by us.

The 123 Reg products that are effected by this are, servers running:

  • Ubuntu 12.04.4 LTS (OpenSSL 1.0.1-4ubuntu5.11)
  • RedHat, CentOS 6.5 (OpenSSL 1.0.1e-15)

Please note: Windows IIS based dedicated server, VPS and Shared Hosting Accounts are not affected.

So how do I resolve this issue?

Please note: We recommend that you take a back up of your server before beginning this process.

Login to your server using command line, and run the below commands:

For CentOS Servers

yum update openssl

For Ubuntu Servers

apt-get update && apt-get install libssl1.0.0

You should then reboot your server.

Once you have rebooted the server, you can test it by running:

rpm -q openssl

to verify that the version is now updated to 1.0.1e-16.el6_5.4.01 or 1.0.1e-16.el6_5.7 or 1.0.1g.

Alternatively, you can test this online at http://filippo.io/heartbleed/

What happens next?

Owing to the nature of the bug, you will now need to reissue all SSLs assigned to the server, as well as resetting all passwords on the system.