Lately there has been a lot of noise around the Heartbleed bug (CVE-2014-0160), which caused a lot of concerned customers to contact us, checking whether their websites are vulnerable to it. We assure each one of them that websites hosted on WebHostFace are not only resistant to the Heartbleed bug, but thanks to our initial server setup, they were unaffected before the vulnerability was even found and made public.
Generally not all versions of OpenSSL are vulnerable, but for those administrators that prefer to use the latest OpenSSL – they have most likely been defenseless for the last two years. The bug is present in the version between OpenSSL 1.0.1 (released on March 14th 2012) and OpenSSL 1.0.1f (released on January 6th 2014) and it is patched in version 1.0.1g, which got released only days ago (April 7th 2014).
The nature of the bug prevents almost all administrators from knowing whether there have been malicious requests towards a website through this bug. Since the encrypted traffic is not usually logged, as this will tremendously affect the processing time of the requests, there is no traffic history to bechecked for malicious requests towards a certain website. Thus, usually the most certain ways to be sure that a website has not been compromised through this bug is by either knowing that the Heartbeat feature has been disabled during compilation, or by using an older version of OpenSSL, which statistically is a lot less likely.
During the initial setup of our shared servers, more than a year ago, we have decided to leave the Heartbeat feature disabled in order to provide a better performance for our clients, who use Shared Hosting plans, namely Face Standard, Face Extra and Email Hosting. Usually Heartbeat can provide better performance on servers that host few websites, but our benchmarks and extensive tests showed that when Heartbeat is enabled on a cPanel-based platform, that hosts more than a hundred accounts, it has more of a negative impact on the server performance. That in turn affects the loading time of the website. Even though the impact is quite small, it is still greater than zero and we always strive to provide the best for our customers.
This is the reason why once hosted with us, websites on a shared platform are immune to the Heartbleed bug.
To learn more about the concept of the Heartbleed bug (CVE-2014-0160) we recommend checking the following resources:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
https://filippo.io/Heartbleed/
Although there has been a lot of noise around this bug, it is still important to remember that bugs in any software are found and fixed frequently. This is the major reason why we always recommend to our customers that they update the applications they use, along with the plugins and extensions installed on their websites.
With OpenSSL in particular, CVE-2014-0160 is so far the 3rd bug which gets patched this year alone. For comparison, in 2013 there has been 5 bugs patched, and 9 bugs patched in 2012. For reference you can check the official vulnerabilities list:
https://www.openssl.org/news/vulnerabilities.html
In case you would like to get more frequent updates about OpenSSL, we suggest regularly checking their Newsflash section available here:
