A critical vulnerability nicknamed “Heartbleed” was discovered in OpenSSL, the most popular SSL module used on Linux / cPanel servers. This exploit allows a third party to steal information that would otherwise be secured and encrypted with the SSL/TLS protocol, and to steal the private keys from the certificate pair itself.
Here’s a great site where you can learn more about the vulnerability: http://heartbleed.com/.
We’ve implemented updates in all areas where our systems were using affected versions of OpenSSL, and we are following best practices. We have also re-keyed all certificates on our web servers.
- This is not a vulnerability with SSL/TLS or Namecheap.
- SSL/TLS is not broken, nor are the digital certificates issued by the Certificate Authority through Namecheap.
- Users of OpenSSL versions 1.0.1 through 1.0.1f with the heartbeat extension enabled are affected.
- OpenSSL version 1.0.1g addresses the vulnerability, as well as OpenSSL instances compiled without the heartbeat extension.
How does this impact Namecheap customers?
As a precaution to protect your data, we highly recommend that all Namecheap users change their account passwords. The rest depends on the type of services you have with Namecheap:
We have already taken care of the OpenSSL update on all of our managed servers. Unmanaged / self-managed customers who have a VPS or a Dedicated Server with Namecheap will need to do the following to secure their server. We recommend you perform these steps immediately.
For customers with cPanel/WHM:
- Login to WebHostManager;
- Go to cPanel in the left hand menu;
- Click Upgrade to Latest Version;
- Follow upgrade instructions;
- Go to Software in the left hand menu;
- Click Update System Software;
- Follow upgrade instructions.
For customers with the CentOS operating system (except CentOS 5, since it is not affected by the exploit):
- SSH in as root;
- Run the command ‘yum update’ from the command line;
- Yum will update the at-risk packages
For customers using the Ubuntu or Debian operating system:
- SSH in as root;
- Run the command ‘apt-get update && apt-get upgrade’.
SSL Certificate customers
First of all, if you are not using OpenSSL on your servers (or are not hosted on one of our Shared hosting plans), you are not affected.
If you do use OpenSSL, we strongly advise the following:
- Identify which servers are running OpenSSL (versions 1.0.1 through 1.0.1f are affected).
- Update to the latest patched version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension, if applicable.
- Reissue any SSL certificates on affected web servers after moving to a patched version of OpenSSL.
- Test your SSL installations.
- Revoke any certificates that were replaced. Please revoke AFTER the reissue has been completed and you have successfully installed it on your web server.
- Consider resetting end-user passwords that may have been visible in a compromised server memory.
- Always refer back to this KB Article for more information.
How to Reissue and Revoke Certificates with Namecheap
Reissuance is done from within your Namecheap account and is free of charge. More information on how to reissue an SSL certificate can be found in this guide.
Once the certificate is reissued and successfully installed, the original certificate (the one that could be stolen) must be revoked, so that attackers can’t use it to impersonate you.
In order to revoke your certificate go to to your Namecheap account panel and locate “Domain list” section. Then find the domain the certificate is issued for and press on the “V” button which you can see on the screenshot below.
Locate your certificate and press on “Manage” button.
On the next page find all certificates with status “Replaced”. Click on the arrow near “See details” button and select “Revoke”.
You will see the warning message that certificate will be revoked and cannot be used anymore; you need to click on “Yes” to proceed.
Once your certificate is revoked you will see the message in your account.
Note: COMODO certificates are revoked instantly.
Once it is done your certificate will be revoked.