Security analysts this week discovered a major security flaw with OpenSSL, a security protocol used by as much as 2/3 of the internet. This vulnerability is being called Heartbleed.
Because of possible exposure of personal and financial data, experts are recommending that users change their passwords to financial sites, retailers, social media accounts, and other sites. I urge you to do that for any sites you use. (Test if your favorite sites are affected.)
But how is your website affected?
This is a vulnerability with server encryption for SSL certificates. A patch has been released, so hosting companies’ server admins will be working to upgrade the servers under their supervision.
This only affects websites that use SSL, and there is that little individual website owners should need to do.
Rackspace Hosting
We’ve contacted Rackspace (our hosting provider) about the issue, who have assured us their servers are protected and all necessary updates were made.
We’ll watch for updates to their Status page and technical updates on their public issue ticket.
Other Hosting Providers
Many of our clients are hosted with Dreamhost, Bluehost and other companies. We’ll watch their blogs for any relevant announcements.
If you provide your own hosting, we recommend you contact your hosting provider. If any actions are necessary, please let me know.
SSL Websites
For our clients with SSL certificates, we’ll be contacting your SSL providers this morning and taking any necessary actions to protect your site.
WordPress Sites
There’s no indication that WordPress sites have been affected, though a site’s hosting server may be (detailed above).
WordPress released an unrelated security patch yesterday, which has already been made to most of our client sites. We’ll keep an eye on any new releases and update as needed.
Expression Engine Sites
Similarly, Expression Engine sites have probably not been directly affected, but we’ll watch for any security patches.
Next Steps
I’ll keep an eye on the issue as it develops, but am fairly confident that client sites are safe.
If you have any questions about this vulnerability or your website specifically, please let me know.