HeartBleed has scared a lot of people and caused a significant amount of work for administrators.
It’s frankly been a bit of a disaster for security & the interwebs.
But all is not lost!
This article isn’t the “blah blah we takes your securities seriously…” marketing messages you’ve been getting from your service providers all week – instead it helps to explain a few things, explains what we’ve done, shows you a tool you can use to check sites, and what actions you might want to take, and most importantly, why.
So what is HeartBleed, are you “affected”, and is iControlWP secure?
Heartbleed lets you sniff out small chunks (64bytes) of data from a server’s memory that is running SSL. It doesn’t matter what the service is, or what’s running on there… if they’re using a vulnerable version of the OpenSSL library, with the Heartbeat feature enabled, they’re vulnerable.
On the day that this vulnerability was announced (8th April) we patched all our SSL-termination points. That is, any public-facing server for which there is an SSL connection, we ensured they received the updated OpenSSL.
We sent out a quick tweet on the day to let the curious amongst you know we had sorted it on our side.
We have also since revoked our previous SSL certificates and generated new ones – Why? It ensures that no-one could have “bled” our private SSL data and then go on to mimick iControlWP with Man in the Middle attacks.
Also, since while you’re managing your WordPress sites with us you don’t actually pass along any usernames and passwords to log into your sites, that sort of site-sensitive information would never have be retrievable.
So if we’re all patched up, what about you?
To be on the safe side, you should at least update your iControlWP account password. Why?
Because if you logged into iControlWP and someone actually used HeartBleed to look into iControlWP on that day, they may have been able to sniff your login password. This is not a problem if you use any one of our multi-factor authentication options, as someone who tries to login as you would fail on the 2nd factor of the authentication.
What to do if you have SSL on your website?
You should immediately check whether your hosting server is affected – you can use this simple tool to do so: HeartBleed Test
Assuming that you’re all clean, ensure that your hosting service provider or you, if it’s you that has to do it, revokes and updates the SSL certificate for the site. Check with your SSL certificate provider on how to do just that – they’ll probably have a how-to and an easy certificate-revocation tool.
Remember also that if you use a self-signed SSL certificate, you are just as vulnerable to this security issue. Make sure that your web server has updated its installed OpenSSL package, at least, though regenerating a self-signed certificates is rather pointless in this case, but it can do no harm.
Lessons to be learned?
If there is anything to be learned from this whole thing it’s that you should always have at least 2-factor authentication turn-on for all your accounts and services. Whether this is for iControlWP or any other service that you use.
Sure, while the particular vulnerability that HeardBleed exposed could leak out random sensitive data, at the end of the day, no-one can “pretend” to be you after sniffing your passwords (assuming they could even do it) if you are using multi-factor authentication.
With iControlWP we really encourage at least 2-factor authentication, and last week we implemented Yubikey Authentication, which generates One-Time-Passwords so sniffing them doesn’t actually even matter!
I know at the beginning I said this article isn’t marketing spiel about how we “value your security” blah blah – we’ve said it before, so repeating it again doesn’t really matter just now. Just understand that the chances that your account password was compromised is slim, but since we don’t ever want to take chances, we’ve taken all the steps necessary to ensure we’re not vulnerable going forward.
So jump into your iControlWP account and change your password, and then check your own SSL sites to ensure they’re up-to-date. And please… please enable some form of 2-factor authentication on your iControlWP account. It can be a bit of a pain sometimes, but it’s reassuring – for you and for us.
If you have any questions or concerns about this, drop us a message in the helpdesk, or in the comments section below. Thanks!