SSL HeartBleed Vulnerability Patched

heartbleed1

As some of you already know, a major vulnerability in some versions of the OpenSSL software libraries was announced two days ago. It got the fancy name “HeartBleed” and in short, allows anyone on the Internet to read the server memory protected by the vulnerable versions of the OpenSSL software and hijack your SSL’s private key. The interesting information is that not all old versions of the software are affected and there are some older and some newer ones that have it.

As you should expect from SiteGround, we did not lose any time taking the proper actions under these circumstances and we immediately started patching the vulnerability. On the day the bug was announced, we reviewed how many and which of our servers were affected. Luckily, that weren’t so many servers. As of yesterday, the OpenSSL libraries on those servers are updated to the newest version, which was released with a patch for the HeartBleed vulnerability.

However, as we like to be extra cautious, we decided to take some extra steps to guarantee your comfort and security. It turns out that the updated OpenSSL software will not protect you if, for example, your certificate’s private key was already stolen by hackers. We are NOT aware of any such cases on our servers, however, as we take security very seriously, we decided to re-issue with new private keys all certificates that were installed on the servers with previously vulnerable OpenSSL libraries versions.

We waited for our SSL provider to confirm that they have also patched their software against the same vulnerability so we could begin the reissuance. That was confirmed today and we have now started reissuing the SSLs.

No actions are expected from our customers as the reissuance will be done automatically on a server level and will not affect your website in any way. We will send an email to all customers whose certificates were reissued once we complete the process.

Thank you for trusting us on this matter!

Tenko Nikolov

SiteGround CEO

For the last few years Tenko Nikolov has been one of the masterminds behind the success of SiteGround. He has come up with multiple successful strategies for overcoming technical problems and has achieved real business results for SiteGround. His vision and skills have made SiteGround a leading host in terms of technology and platform reliability.

Security

Comments ( 15 )

Reginald

Apr 09, 2014

Great to hear! Glad you guys took the extra step. Keep it up *from a happy customer* :D

Reply

lily

Apr 09, 2014

Great to hear new knowledge from you. Thanks!

Reply

Jayme

Apr 09, 2014

Thank you for this update. This news, and the transparency with which Siteground is working, is very much appreciated. It was also great to see you posting updates via your Twitter account.

Reply

Keith Davis

Apr 09, 2014

My host has just updated and good to see that you guys are on the ball. I wonder if all hosts are as quick as you guys!

Reply

Jonathan

Apr 10, 2014

So comforting to hear this

Reply

VA

Apr 10, 2014

Should we modify our CPanel, Siteground and application passwords? Info is around also about possibly stolen passwords. Waiting for reply, thanks!

Reply

Marina Siteground Team

Apr 10, 2014

Hello VA, Based on the information we have about the vulnerability, it is highly unlikely that it was ever exploited by hackers on our servers. It was responsibly disclosed and became public after a security patch was released for it. We patched few hours later, hardly giving time to anyone take advantage of the vulnerability. That is why we will not be forcing large scale password change. However, it’s always a good general recommendation to update your passwords frequently and you may use the case as a great motivation to do so. Regards!

Reply

Henry

Apr 11, 2014

Although it was responsibly disclosed, there were at least two teams that discovered it around the same time. There are also rampant rumors that there were leaks about the issue prior to the patch release. SiteGround's prompt response is worthy of kudos. Out of an abundance of caution, I would suggest that you regenerate new self-signed certificates on your servers, also. Ideally the old public key would be added to a certificate revocation list (CRL). Admittedly support for that is dodgy on the Internet.

Reply

Patti

Apr 10, 2014

I am SO glad to be hosting with you!! I knew you guys would be on top of this. My site is SSL so I was worried at first. Much appreciated!!

Reply

Andre Bellafronte

Apr 10, 2014

really good to hear. Transparency and honesty of Siteground! I hope not receive the email for you lol

Reply

Big Fan Yan

Apr 11, 2014

Great work guys! Its good to be in the loop even if I don't get all the jargon.

Reply

Marina Siteground Team

Apr 11, 2014

We have completed the reissuance of the SSL certificates that were installed on servers with previously vulnerable OpenSSL version. It took us longer than expected as due to a bug in the system of our SSL provider, we had to reissue the new private keys twice. All sites should function normally and no action is required from clients. An email is sent to all affected clients.

Reply

James Doolin

Apr 11, 2014

Thank you, confirms my well placed confidence in Siteground.

Reply

Bruce Wilson

Apr 18, 2014

Recently moved to SiteGround and this was so refreshing to see the quickness with attacking the problem and most important the transparency of what you were doing and letting us know immediately.

Reply

WP Valet - Heart Bleed Bug Security and Best Practices » WP Valet

Apr 19, 2014

[…] what WP Engine and SiteGround have to say about their responses to the Heart Bleed […]

Reply

Start discussion

Ready to get your website started?

Choose a hosting plan, start or migrate your site in a few clicks, and grow your online presence!

Get Started Chat with an expert