HeartBleed Attack on OpenSSL and LuxSci: What you should know.
If you don’t know yet, an incredibly serious security issue in software used by roughly 66% of all web sites on the Internet was discovered over the last few days. This issue, which has been in existence since 2011, is one of the most serious issues facing the Internet in a long time. Companies all over the world are scrambling to update their systems to protect themselves against Heartbleed attacks.
You can read about this issue here: The Heartbleed Bug
The take away is that this is not a weakness with SSL or TLS; but a bug in certain versions of the “openssl” open source SSL library used by very many sites. If exploited, the attacker can get your secure web sites SSL private keys … thus allowing them to spoof your site and perform “man in the middle” attacks without any SSL errors or warnings. This is really not good.
The homework for end users is to change passwords and to replace SSL certificates that they may have purchased themselves for secure email or web services.
Heartbleed and LuxSci
LuxSci’s servers have been fully updated so that they are no longer vulnerable to the Heartbleed attack. We have also re-issued and re-installed our luxsci.com-related certificates and revoked the old ones.
However, since openssl had the vulnerability for years before being “discovered”, because LuxSci actively updates its software and this bug affected the newer versions of openssl, and because there is “no way” to know if a server was exploited as the attacks leave no trace. It is possible that customer SSL certificate private keys were exposed to attackers and thus compromised.
LuxSci recommends that customers hosting SSL-secured web and/or email with their own domain names at LuxSci:
- Have their SSL certificate re-issued, and then
- Have their old SSL certificate “Revoked” … making it no longer valid for use.
LuxSci is doing this for its own SSL certificates. We cannot do this for our clients automatically, as the re-issuance step requires that our clients confirm the re-issuance and also requires an updated Certificate Signing Request (CSR).
Does this apply to you?
Email: If your check your email with a domain name ending in luxsci.com or luxsci.mobi (e.g. secure-email-5.luxsci.com, or smtp-33.luxsci.com, etc.) then we are taking care of all of this for you. If you have Private Labeling and use your own domain name with your own purchased SSL certificate (e.g. mail.yourdomain.com), they you may want to replace that certificate.
WebMail/SecureLine: If use WebMail and login through securesend.luxsci.com, webmail.luxsci.com or luxsci.com, then we are taking care of all of this for you. If you have Private Labeling and use your own domain name with your own purchased SSL certificate for WebMail or SecureLine Escrow/SecureSend (e.g. webmail.yourdomain.com or secure.yourdomain.com), they you may want to replace that certificate.
SecureForm: If use SecureForm and your forms post to “secureform.luxsci.com,” then we are taking care of all of this for you. If you have Private Labeling and use your own domain name with your own purchased SSL certificate for SecureForm (e.g. forms.yourdomain.com), they you may want to replace that certificate.
Hosted Web Sites: If you host your web site with LuxSci and have an SSL certificate to secure that web site, then you may want to replace that certificate.
If you would like to take these steps to update the hosted SSL certificate(s) for your domain(s), here is what you do:
Customers that have purchased SSL through LuxSci:
- Make a Support Ticket requesting that we (a) make new Keys and CSRs for your certificates, and (b) contact Thawte to have a new SSL certificate issued for your domains. (This re-issued certificate will expire at the same time as your current certificate and the re-issuance is free.)
- An email will be sent to your SSL contact email; you will need to receive this and confirm that making the new certificate is “OK”
- The new certificate will be sent to you and LuxSci
- LuxSci will then install your new certificate on its servers as soon as it can schedule that.
- The old certificate will be revoked within a few hours of the time you confirmed the re-issuance.
Note that since the old certificate will be revoked sometime within at most a few hours of the time it is re-issued (and we have no control over when), it is likely that the live certificate could show as revoked before the new one is installed. This may give some end users SSL warnings until the new certificate can be installed by an authorized LuxSci technician. LuxSci will attempt to install these as soon as possible (between 9am and 10pm Eastern Time), but this does depend on scheduling of authorized staff members. If you are unsure … we recommend that you check with us (via phone or ticket) before you click on the link to confirm the re-issuance of your certificate to make sure we can install it soon.
Customers who have purchased their SSL certificates elsewhere:
- Make a Support Ticket requesting that we (a) make new Keys and CSRs for your certificates. We will give you the new CSR.
- You should make a copy of your old certificate
- Contact your SSL provider and ask them to re-issue your certificate using the new CSR
- Once that process is complete, give LuxSci your new certificate (and the associated intermediate certificates)
- LuxSci will install your new certificates on its servers
- Once installed, you should contact your provider and revoke the old version of your certificate.
Be sure you check with your SSL provider on what you will need to re-issue the certificate and to revoke the old certificate before you get started.
Should you change your passwords?
If you have seen the news, most folks also recommend that everyone changes their passwords as well.
While LuxSci’s servers do not keep password libraries in memory and the passwords that we do keep are hashed, like almost every web site, the plain text version of your password is in memory on the web server for a few moments during your login process. This then goes away and is overwritten. However, there is no way to be 100% sure that the next connection after yours was not an attack using heartbleed that was able to read memory that had been freed up but not “garbage collected” by the system and thus got your password. This is very unlikely, but not impossible. It is also possible that a man-in-the-middle attack (e.g. when you were at Starbucks or at some Hotel) on you captured your passwords and other data when connecting to LuxSci or any other vendor that was vulnerable.
With heartbleed, there is no way of knowing who was attacked, if anyone was attacked, by whom, or when. This is why everyone is scrambling to patch systems and replace certificates ASAP, and why its best not to take a chance with your passwords.
So, if your account is sensitive, it would be in your best interests to update your password — “just to be sure”. In general it is a good idea to change your passwords frequently anyway … and if you have not been doing so, now is the perfect time to update them all both here at LuxSci and at all other vendors.