Urgent security advisory: #Heartbleed – openSSL Vulnerability

This is an urgent security advisory regarding an openSSL security vulnerability CVE-2014-0160, which was revealed today to be a catastrophic, remotely exploitable security vulnerability affecting all applications utilizing openSSL.

The vulnerability was announced via the domain http://www.heartbleed.com

Which versions are affected is unclear:

  • The Heartbleed website says everything above 1.0.0+
  • We also read an unconfirmed report that it was 1.0.1 through 1.0.1f (inclusive)
  • The openSSL advisory dated today states "Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
    1.0.1f and 1.0.2-beta1"

(To check the openSSL version from your unix shell type: $ openssl version)

The following analysis has been posted regarding the bug:

http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

An online tool that can diagnose if your web server is at risk is online here:

http://filippo.io/Heartbleed/

Recommendations:

If you are running a vulnerable version:

  • Upgrade your openSSL libs
  • restart any applications that use openSSL

But wait, there's still more…

You then have to make a decision on whether or not to treat your existing keys as already compromised (because if they were, there is no way you would know it) And if you feel the risk it too great: you must re-issue your SSL certs after generating new private keys and using them to generate new CSRs.

Unfortunately, this is the same thing as buying or renewing your SSL cert(s).

At this point we do not know if the certificate issuers will do something about this unprecedented situation, such as allow free re-issues or offer some kind of price break. But

If you are running an ecommerce website or the security of your customer data is paramount, you may want to do the same thing we did here at easyDNS tonight, which was to go ahead and purchase new SSL certs (after upgrading our openSSL libs and regenerating our keys & CSRs).

Update: Free Cert Re-Issues

It has been pointed out (immediately after emailing this alert to all our SSL customers) that our supplier, GeoTrust, allows free certificate re-issues as long as the info used to generate your CSR hasn't changed.

Go here: http://www.geotrust.com/support/ssl-certificate-reissuance/

In any case, check with your systems team, assess your vulnerability and keep your children indoors. This is pandemonium.

Bitcoin Payments Are Now Mandatory

Pay_with_bitcoin2

Effective immediately, Bitcoin will be the only payment method accepted for all easyDNS services.

 

Remember this date.

 

That is all.

The New TLDs are Here. Do You Really Need Yourname.BLARGH?

Picture-161It's been a long time coming, but as of a few months ago, the onslaught of the new Top Level Domains ("TLDs") has commenced. This is quite the game-changer because the sheer volume of new TLDs necessitates a different strategy for protecting one's interests than was the general convention of the past.

In the past, everybody (except maybe us), would try to whip all their customers into a frenzy around the concept "Get your name under [dot]whatever before somebody else does!" (We were usually a bit more stand-offish about it, being deeply skeptical of that entire model).

Not every new TLD should be "defended" in, with rare exceptions. .CO for example, was pretty much set up to capitalize on being one big typo-squat on .COM. (Of course they'll never admit that.)

For many others, we advised against it. .XXX was just plain extortion ("get your name.xxx before some pr0nstar puts up a beastiality site on it!"), .TEL is just so hopelessly flawed and broken that we unceremoniously dropped support for it and not a single customer noticed or cared. .PRO was just a case of horrible execution and nobody misses not having their name.pro (we do DNS for more domains from Antarctica, .AQ than we do for .PRO – no joke)

So now the new landscape is upon us: new TLDs are coming out so fast we can't even keep track of them ourselves. We've added support for a few of them and they are available now: Read more »

What the recent US Government announcement about transitioning the root really means.

nwo_agendaI was away when the big announcement came out. The news was, more or less,

"US GOVERNMENT RELINQUISHES CONTROL OF THE INTERNET!!!!!"

and I put it in all caps and underlined and with a lot of !!!! because the people who are busily talking about it in that context are typically newbie type half-wits, or journalists. The latter of which are barely distinguishable from the former, only because they aren't as intelligent and their knuckles tend to drag lower on the pavement when they walk.

Sorry if that sounds harsh, but this is the second time in less than a month I've seen just utterly bombastic and nonsensical reporting, conspiracy theory and just plain wrong information being promulgated over things that are actually non-issues. Read more »

Definitive Proof ICANN's New Whois Verification Works

whois_verificationOne of my own websites just got knocked offline by that new ICANN Whois Accuracy Program we told you about a few weeks ago. Recall that it's a new policy which requires you to explicitly verify your contact info if you modify your whois record.

Also, I forgot to mention this, if your email address in your whois record ever bounces (like from a WDRP notice), it also triggers the Whois Verification process.

So if you have a stale email address sitting in a contact record somewhere, it will eventually, probably cause you to go offline because the next time your registrar emails it and it bounces, it will trigger the verification process, which will also bounce. As I just found out with one of my own domains.

But it's all good, because I've fixed my email address and verified my contact info so now the Forces for Good in the world know, definitively and absolutely that the identity behind my domain's contact details are true and correct.

And, I can resume receiving spam, phishing attacks and malware at my now updated email address.

 Further Reading

7 Great Web Hosting Screwings To Watch Out For

[ This is a reprint of the "Why Choose easyWEB" page from over on, you know, easyWEB ]

Why easyWEB?

 

While we may be latecomers to the web hosting space, in the course of helping you manage your domains and DNS for over 15 years we’ve seen pretty well every trick in the book, and we’ve seen our customers suffer the fall-out from having those tricks played on them by third-party web hosts.

“Please start offering web hosting” was a common refrain we heard from you, and we resisted for a long time because we didn’t feel we had the core competencies to offer it. Once we started looking at it, we realized something key about the entire web hosting industry:

99% of the web hosting marketing is deceptive, misleading and/or bait-and-switch.

This shouldn’t come as a surprise (but it did), given that the situation is the same in the domain industry. But the core premise behind easyWEB was to bring the same gimmick-free reliability and responsiveness to web hosting that you’ve come to depend on for your domains and DNS.

This insight involved a deep dive into the current web hosting marketing trends, and in the same spirit as the near legendary “10 Things You Must Know Before You Register a Domain Name With Anybody” we bring you:

The 7 Great Web Hosting Screwings To Watch Out For

#1) 24×7 Support

What 99% of web hosts mean when they say “24×7″ support, or even “24×7 email support” is that “you can send us an email any time, 24×7″.

That doesn’t mean you’ll actually get a reply. Especially not at that hour. It’s like the old Dilbert cartoon:Screen Shot 2014-01-13 at 12.56.16 PM

When they say “24×7 support”, it doesn’t mean 24×7 response. Read more »

YOU have a moral obligation to use crypto.

we_want_you_to_use_cryptoToday is The Day We Fight Back, a global initiative to send a message to our overlords that we're not thrilled about being spied on, subject to mass surveillance and basically living in an Orwellian nightmare.

Ordinarily we're not big "joiners" or "petition pushers", we think taking action has more efficacy. However, this is in it's own way doing just that. It is simply unfathomable to me how low on people's radar this issue is.

When the first revelations began surfacing that the NSA had basically implemented a surveillance state, I commented privately "just wait, eventually it will come out that Canada is doing the same thing".

Sure enough, reports started to surface about CSEC's activities, first engaging in industrial espionage against trading partners and then more recently, setting up wifi honeypots in Canadian airports to track Canadian citizens.

What surprised me was the lack of reaction from the populace here about this latest revelation. Trust me: this isn't just about an experiment in an airport tracking metadata, it's just the tip of the iceberg.

A lot of people like using us because we're not in the USA, and some of the rationalizations behind that perceived benefit still hold true: somewhat saner copyright laws (at least for the moment), not being wimps when it comes to idiotic takedown requests, et al.

But the idea that we are somehow "out of reach of the NSA" is definitely not one of them. Sure, we're not actively collaborating with them, as many US businesses are, but as we've said before: we just assume the pipes going into and out of our major network exchange points are being vacuumed en masse.

That's why we recently rolled out GPG encrypted email forwarding and will soon make it available on easyMail where it can encrypt your IMAP mailboxes. It's why we're going to spin out a personal privacy appliance fairly soon. Read more »

Welcome to easyDNS, Press 1 for support. Press 2 to get the last 4-digits of your credit card number on file here.

Just kidding.

We've had numerous requests to today to comment on this issue as Naoki Hiroshima's nightmarish tale of how his Godaddy account, Paypal account and ultimately his highly coveted Twitter handle were compromised and the latter stolen.

(Sorry I haven't posted sooner on this, I'm out of the office this week, way up north in a log cabin where not only does it get down to -37C at night, but they told me when I checked in this year "make sure you look outside for wolves before you come out at night or in the morning". Not to mention there's no wifi and I'm tethering through my phone right now.)

Anyhoo, since Naoki Hiroshima's story went viral a lot of you are asking what easyDNS would or wouldn't do. There are similar follow up stories being posted as well, like @jb's similar account.

The common thread in both of those events are that the attackers used social engineering attacks using publicly available information (like address info from whois records) and were able to obtain in one online service or another, the last 4 digits of the credit card used to make purchases on the account. Read more »

As Deadly as a DDoS: ICANN Unleashes the Whois Accuracy Program

[ Sorry about the original title - I probably should have given it a second thought - markjr ]

More effective than a botnet, more sweeping than a Denial-of-Service attack, ICANN has devised a deadly Weapon of Mass Destruction that can instantly render a entire online presence persona-non-grata regardless of how much redundancy, mitigation muscle-power or firewalls a hapless defender has deployed, this latest attack vector can take it all away, not with one click, but for lack of one…. Read more »

Know Your Domain Right

(Originally a guest post written for Techdirt)

Screen Shot 2014-01-17 at 3.17.26 PMWhen I first got into this business I frequently wondered why the domain-policy mailing lists I was getting involved in attracted a lot of activist types.

Over the years it became apparent to me very quickly, that in an emerging era of global communications and transparency (what Anthony Wile calls "The Internet Reformation") – that "the name" (the domain name) along with the ability to "locate it" (DNS) was a central, all-important "secret sauce" to the entire internet.

But it was only gradually that I became aware that it would take centre stage politically and and become the battleground between forces for liberty, free speech and emerging civil & business models on one hand and entrenched reactionary, authoritarian, cronyist kleptocrats on the other. Read more »

Status Updates

Receive new posts via email

Loading...Loading...


Introducing:
easyPress.ca Managed WordPress Hosting
Fully Managed
WordPress Hosting, eh

Archives