Major Security Vulnerability Uncovered in OpenSSL

A major security vulnerability in the OpenSSL project was announced this week which exploits a programming flaw in OpenSSL dubbed the Heartbleed Bug. This is a MAJOR security vulnerability which could affect as much as two-thirds of all Internet web traffic allowing hackers to gain access to everything from user passwords to personal banking data, and even SSL private keys.

Learn more about OpenSSL's Heartbleed Vulnerability at http://www.heartbleed.com.

Frequently Asked Questions

Are GeoCerts' Servers Currently Vulnerable to Heartbleed?

No. We've patched our servers and reissued and replaced our SSL certificates on servers that were using a flawed version of OpenSSL. We urge our SSL customers to do the same.

How can I find out if my servers are currently vulnerable?

Check out this very robust SSL Server Tester from the folks at at Qualys SSL Labs.

Are Microsoft Windows Servers Affected?

Maybe... maybe not. It depends. Microsoft's IIS web server does not use OpenSSL, however, as ZDNet's Liam Tung explains, "Microsoft's extensible web server IIS was not affected by the bug. However, that doesn't mean companies that run their websites on it won't be affected..."

Advice for businesses:

  • This is a vulnerability of the OpenSSL library, and not a flaw with SSL/TLS nor certificates issued by GeoCerts or our partners at Symantec (formerly VeriSign) and GeoTrust.
  • Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g)
  • After moving to a fixed version of OpenSSL you should have all SSL cerificates installed on any patched servers reissued at GeoCerts free of charge using a new Private Key. You will need to generate a new Private Key and Certificate Signing Request (CSR) for each cert and submit the new CSRs with your reissue request. Once reissued via email download, install, and test.
  • Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory

Advice for consumers:

  • You should be aware that your data could have been seen by a third party if you used a vulnerable service provider. Change your passwords now and often.
  • Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated customers that they should change their passwords, users should do so
  • Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
  • Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability
  • Monitor your bank and credit card statements to check for any unusual transactions

If you have any further questions or concerns on this, please contact a member of your GeoCerts SSL Support team via phone, ticket, or chat.

GeoCerts Support

Please contact our support team if you have any additional problems or questions.

Apr 8, 2014 Scott Rogers