BLOG

If you have servers using SSL, read this

I was going to post about SSL certification and setup today, but the security world got ahead of me.

Recent versions of openssl – the library used by most applications to implement SSL – released over the past couple of years have a critical bug in them. This bug lets any attacker read any information from the process that’s running SSL, reliably, silently and without leaving any trace on the compromised server that it’s happened.

What’s so dangerous about that? As well as things like usernames, passwords, private email and so on, this lets the attacker take the private key for your SSL certificate. Once they have that private key, they can run a server that pretends to be you, even over SSL, opening up all sorts of shenanigans.

There are more details at heartbleed.com – but the short form is that you should check the version of openssl on all your servers – if it’s running openssl version 1.0.1 through 1.0.1f, it’s vulnerable.

You should obviously upgrade to openssl 1.0.1g on vulnerable machines, but given the scope of the potential attack you might want to consider the information on them already compromised. If so, that’d mean replacing the SSL certificates and changing any passwords the affected services have access to (both user passwords and any service passwords, such as database credentials).

 

1 comment

  1. Jonas Falck says

    Hi!
    We just recently updated our email security appliance (virtual or hardware) with a fix for this vulnerability:
    https://my.halon.se/support/softwareupdates/mailsecurity
    http://www.halonsecurity.com

Comment:

Your email address will not be published. Required fields are marked *

  • Blogging

    It's been a wild week here in the US. I have to admit, the current political climate is affecting my ability to blog about email. I've always said email is not life or death. And how can I focus on the minutia of deliverability when things are in such turmoil and uncertainty? There are many things I want to write about, including some resources for those of us who are struggling with the current administration and changes in the US. What we can do. What we must do.  It just takes work and focus I don't have right now.    1 Comment


  • Email trends for 2017

    Freshmail has published a list of email marketing trends for 2017 from some of their favorite experts. I am honored to be included. Go check it out!No Comments


  • AOL FBL change

    Reminder for folks, AOL is changing their FBL from address starting on Jan 17th. AOLlogoForBlogThe (in)famous scomp@aol.net is going away to be replaced by fbl-no-reply @ postmaster.aol.com. These messages will be signed with the d= mx.postmaster.aol.com. Time to update your scripts!No Comments


Archives