OpenSSL Heartbleed bug


#1

Trying to determine what (if anything) I need to do about the OpenSSL Heartbleed bug with respect to my DreamHost account.

http://heartbleed.com/

Here’s the summary from that website:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.


#2

Hello There,

We can confidently let you know that our shared servers and VPS guests are NOT vulnerable to it since they run Debian Lenny and/or Squeeze . The most common version of OpenSSL on our network is 0.9.8o-4squeeze14. “HeartBleed” vulnerability in OpenSSL’s heartbeat module in versions 1.0.1 and 1.0.2-beta

Cheers!
Matt C


#3

so just to confirm, none of our passwords (accessing dreamhost web panel, email pop3/imap passwords etc) were at all affected by this heartbleed issue and we do not need to urgently change any passwords correct?


#4

What about authenticating to the DreamHost website itself, e.g. panel.dreamhost.com?

thanks,

Arno

Update: Ok, I have since found this note which addresses my and @arksuns questions: http://www.dreamhoststatus.com/2014/04/09/dreamhost-and-heartbleed-notes-on-openssl-vulnerability/ Please post back here / announce once re-keying is complete.


#5

The DreamHost panel was not running a vulnerable version of OpenSSL, and as such does not need to be rekeyed.


#6

Yes, as already noted in http://www.dreamhoststatus.com/2014/04/09/dreamhost-and-heartbleed-notes-on-openssl-vulnerability/ But the blog post is also fairly vague about what exactly was affected. Quote, “was mostly isolated to a small group of mail machines” and “DreamHost.com was not vulnerable, but the machines that redirected traffic to our actual site were”. Can you please elaborate?

thanks.


#7

A subset of DreamHost’s mail servers were using a version of OpenSSL that was affected by this vulnerability. We have updated them to a secured version, and we are in the process of replacing the SSL certificates that were active on them.

With regard to dreamhost.com, our web server was not itself affected by this bug, but some of the servers in our CDN provider’s network were. However, as these servers were responsible only for the “public” section of our web site, not the web panel or any other sensitive services, it is highly improbable that any private information would have been leaked as a result.


#8

This is good news, thanks for the information.