We’ve been unable to access our email (info at bazaargirls.com) since early this morning. It appears that our password has been changed because we’re unable to access our account from any of our computers or cell phones. The gentleman who set up our website several years ago never passed on the login creds to our webpanel so I’ve never been able to access it, and now I’m stuck with no way to get in touch with Dreamhost, and now our email isn’t syncing to our local email clients. Help!
Thank you, I filled out all those fields several hours ago and am awaiting a response. The frustrating thing is that this account was all set up for our business before I started here, and the person who set it up for us is long gone. So I’m one of the business owners, but other than our business details I don’t know how I’ll verify my identity to Dreamhost (other than having them call our business which would be fantastic). I don’t even know what recovery email address he used or where a password reset would be emailed to, so my request just ends up sounding like a phishing scam. Thank you for trying to help
My business partner noticed that our email client (Thunderbird) is throwing this error: server does not support RFC 5746, see CVE-2009-3555. After a little googling, I found the following comments about this error:
"RFC 5746 describes a Transport Layer Security (TLS) Renegotiation Indication Extension, which is intended to protect against attackers injecting data into the connection early on and thus tricking clients and servers into communicating with each other in a manner that is vulnerable to a man in the middle attack.
CVE-2009-3555 is an old (late 2009) Common Vulnerability and Exposures identifier that basically allows you to learn more about products and product versions which are vulnerable or not to this specific attack. It’s similar to a bug report ID or issue number that a vendor might assign to a problem report, except CVEs can (and in this case it certainly does) cover many different applications.
Thunderbird is informing you (though I agree, definitely not in a very user-friendly manner) that the server you are connecting to does not support the standard that was developed to mitigate this threat, and is aborting the connection attempt because this presents a potential security vulnerability leading to loss of privacy (specifically data confidentiality, in this case of both authentication credentials as well as email traffic).
The place where this needs to be fixed is on the mail server you are connecting to, so you should urge your service provider to immediately upgrade to software that mitigates CVE-2009-3555. Alternatively, since the problem has been known for six years and the fix has been standardized for five and a half years, I would have doubts about what other potential security issues the service provider is not taking seriously, and personally would probably look for alternative service providers."
So does this mean the the Dreamhost server needs security upgrades? I still have ssh access and I see that it’s got 211 upgradable packages. Come on Dreamhost, what the heck?!