Category Archives: Hosting

What You Need to Know About the Heartbleed Bug

Heartbleed LogoIf you haven’t already heard, a major exploit in OpenSSL was discovered recently. The Heartbleed Bug, which is as scary as it sounds, allows an attacker to capture potentially sensitive information from a server’s memory by exploiting a flaw in the implementation of the heartbeat function of OpenSSL’s SSL/TLS implementation.

How it Works

SSL/TLS, the encryption protocol commonly used for securing traffic between web browsers and servers, has a feature called a “heartbeat.” Every now and then, an exchange like this happens between the client and the server:

Client: You still there? If so, send back “ALIVE,” which is five characters.

Server: ALIVE

If the heartbeat succeeds, the connection stays open. This keeps happening, over and over, with a different value being passed each time.

Now here’s what happens if someone exploits the Heartbleed bug:

Client: You still there? If so, send back “KITTEN,” which is 300 characters.

Server: KITTEN, and here’s a block of random memory from RAM!

In this manner, an attacker can get a random 64KB chunk of data from memory every time a heartbeat is sent, thanks to a lack of validation of the length parameter. (So an attacker can just repeatedly make attempts.) Eventually, they’d get lucky and find something interesting. Such as the SSL certificate or users’ passwords and data.

Exploiting this bug is trivial. (There were people posting scripts to test for the vulnerability minutes after it was announced. Just imagine how quickly malicious types got to work implementing exploits for the bug!) It’s also possible that someone knew about it months or even a couple years ago, and has been exploiting it ever since. Bloomberg even suggests that the NSA has known about it for two years, and has been exploiting it rather than disclosing the problem.

Is it Fixed?

Yes! Your Linux distro should already have patched builds in their package manager, so it’s just a simple manner of running a couple of commands to update your openssl and libssl1.0.0 packages, then restarting any services that depend on SSL. (Or just do a full reboot if you’re paranoid.) In the case of Ubuntu, you’d just do something like this to update the packages:

sudo apt-get update
sudo apt-get dist-upgrade

You should now revoke any SSL certificates and issue new ones, in case they were leaked in an exploit of the bug.

What Should I Do, as a User?

Change your passwords! For anything important—email, banking, etc.—you should consider picking a new password.

GoDaddy Acquires Media Temple

I hope you’re not a Media Temple customer, because I have bad news. GoDaddy has just acquired the hosting company, according to the press release they put out today. SCOTTSDALE, Ariz. (Oct. 15, 2013) — GoDaddy, the Web’s largest platform for small businesses, has…

Deploy GitHub Repositories with GoHub

One popular way to deploy a web application, or even a set of static HTML files in the case of Jekyll blogs, is to add a bare repository on your server with a post-receive hook that catches the files when they’re pushed and copies…

DigitalOcean Review

Since the beginning of April, this site has been hosted by DigitalOcean. I’ve been a longtime customer of VPS.net—from September of 2009 up until April of 2012—but the difference in service was so huge that I had to switch. While VPS.net was a good…

CDNJS: The Missing CDN

The Google CDN is an awesome way to speed up page load times, but it only has a few of the most popular JavaScript libraries. That’s what CloudFlare is aiming to rectify with their CDNJS. They have a ludicrously long list of libraries—JavaScript, CSS,…

ServerBear Benchmarks

ServerBear: Performance Benchmarking For Linux Servers

The popular options for VPS hosting for the past few years have been the venerable Linode, VPS.net (my provider of choice since 2009), the late SliceHost, Rackspace and Amazon EC2. A new name has been cropping up more and more lately, though: DigitalOcean. After…

Archive Data for One Cent per Month with Amazon Glacier

Amazon recently launched their latest Web Services Product, which aims to help you store data for the long term. Amazon Glacier costs one cent per gigabyte per month to store data, with some limitations on the retrieval. It costs $0.12/GB to retrieve data if…

Ditching GoDaddy? Here Are Some Alternatives

Whether it’s because of the recent major outage, their brazen support for SOPA, or their longstanding questionable business practices, there are many reasons one may wish to avoid doing business with GoDaddy. (Archive.org has a mirror of the old NoDaddy site if you’re curious…

blitz-io

Load Test Your Server with Blitz.io

Want to test how your server performs under load? If you’re in the process of optimizing a server, or have just installed a caching solution, it’s good to see the effect your changes have had. Blitz is a configurable service that will pound your…

Proxying Web APIs with NGINX

Here’s a cool thing I bet you didn’t know could be done with the NGINX server: proxying APIs from web services. Why would you want to do that? Well, for starters, you can avoid running into cross-domain scripting issues. Your client-side JavaScript can query…