As some of you already know, a major vulnerability in some versions of the OpenSSL software libraries was announced two days ago. It got the fancy name “HeartBleed” and in short, allows anyone on the Internet to read the server memory protected by the vulnerable versions of the OpenSSL software and hijack your SSL’s private key. The interesting information is that not all old versions of the software are affected and there are some older and some newer ones that have it.
As you should expect from SiteGround, we did not lose any time taking the proper actions under these circumstances and we immediately started patching the vulnerability. On the day the bug was announced, we reviewed how many and which of our servers were affected. Luckily, that weren’t so many servers. As of yesterday, the OpenSSL libraries on those servers are updated to the newest version, which was released with a patch for the HeartBleed vulnerability.
However, as we like to be extra cautious, we decided to take some extra steps to guarantee your comfort and security. It turns out that the updated OpenSSL software will not protect you if, for example, your certificate’s private key was already stolen by hackers. We are NOT aware of any such cases on our servers, however, as we take security very seriously, we decided to re-issue with new private keys all certificates that were installed on the servers with previously vulnerable OpenSSL libraries versions.
We waited for our SSL provider to confirm that they have also patched their software against the same vulnerability so we could begin the reissuance. That was confirmed today and we have now started reissuing the SSLs.
No actions are expected from our customers as the reissuance will be done automatically on a server level and will not affect your website in any way. We will send an email to all customers whose certificates were reissued once we complete the process.
Thank you for trusting us on this matter!