The Heartbleed bug (http://en.wikipedia.org/wiki/Heartbleed_bug) is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1.f.

This vulnerability allows an attacker to read chunks of memory from servers and clients that connect using SSL through a flaw in OpenSSL’s implementation of the heartbeat extension.

OpenSSL provides critical functionality in the internet ecosystem, and therefore vulnerabilities, such as Heartbleed, have a significant impact on digital communications and their integrity.

What does this mean for Elcoserv clients?

SSL is an important protocol for securing web traffic, and thus securing web requests for logins, order transactions, etc.. Elcoserv servers, like all web servers, must rely on correctly implemented SSL protocol. As a member of the internet community, we feel it’s important to raise awareness of the risk and ensure that our users have their servers protected.

How do I check if my server is protected?

Essentially, there are three ways you can verify if your server is protected:
1) You can open a support ticket.
2) You can leverage a third party scanning tool via the web.
Below are three such sites that the community deems reputable and trustworthy. You simply enter your website and it will let you know:
http://filippo.io/Heartbleed/
https://www.ssllabs.com/ssltest/
http://possible.lv/tools/hb/
3) For Unmanaged VPS clients, you can run a scanning tool locally on your server with root access over SSH. One such tool is:

https://github.com/n8whnp/ssltest-stls/blob/master/ssltest-stls.py

What do I do if my server is not protected?

All our managed hosting and servers are already patched with bug fixes. In case you use our Unmanaged VPS you will need to update Open SSL library. In case you do not know how to, contact system administrator immediately! We have the technical expertise to update the OpenSSL libraries on your server to protect your SSL communications going forward.

Once I have patched my server, is there anything else I need to do?

Due to the nature of the vulnerability it is not possible to immediately know what information, including private keys, passwords, or session ID’s, may have been compromised. Attacks that leverage the Heartbleed bug occur very early in an information exchange process, before a full connection has been made, and thus leaves no log history that an attack has occurred.

We recommend that you take precautionary action and regenerate all SSH keys as well as reissue all passwords in use.
This would include resetting all your passwords.

How has Elcoserv servers and my account been affected by Heartbleed?

The security patch to fix the issue was released on 7th April, 2014 and the OpenSSL version which fixes the bug was deployed immediately on all Elcoserv server fleet. At this moment the Elcoserv website, our public servers, and SSL certificate are not vulnerable to the Heartbleed bug.

Any secure communication with our servers, such as logging into the members area, would not be affected by any attacks following the public disclosure of the Heartbleed bug.

The Heartbleed bug has had a profound impact on the transmission of secure data throughout the Internet. It is for that reason that we are encouraging our customers to reset their client area passwords at their earliest convenience as a matter of common password maintenance. Please remember to always make your passwords unique, random, and periodically rotate them.