Complete Geek Boutique

Nothing in cyberspace is sacred

NameCheap finally admits Heartbleed vulnerability – kind of

Heartbleed bugIn one of the oddest letters to its users I have seen, the NameCheap hosting company finally – on April 11 – sent out an e-mail blast to its users addressing the Heartbleed security breach.

And here it is …

QUOTE.

“A critical OpenSSL vulnerability nicknamed “Heartbleed” was discovered recently. IMPORTANT: It is very likely that you are impacted by this vulnerability. Read on for more info.

Details you should know:
1. This is not a vulnerability with SSL Certificates or Namecheap.
2. SSL/TLS is not broken, nor are the digital certificates issued by Comodo or Symantec brands.
3. Users of OpenSSL versions 1.0.1 through 1.0.1f with the heartbeat extension enabled are affected. OpenSSL version 1.0.1g addresses the vulnerability, as well as OpenSSL instances compiled without the heartbeat extension.
4. As a precaution to protect your data, we highly recommend that all Namecheap users change their account passwords.

We have created a detailed Knowledgebase article where you can learn about Heartbleed, determine whether you are affected, and find out what to do next. Please read the article as soon as you can. It’s located here: https://www.namecheap.com/support/knowledgebase/article.aspx/9343

UNQUOTE.

So, in points number 1-3, NameCheap says that nothing happened. But in Point No. 4, it tells everyone to change their server passwords.

Huh? If nothing was affected, why should everyone change their passwords? This sure sounds like they don’t want anyone to know how vulnerable they were.

NSA would be proud. And speaking of the National Security Agency, it knew about Heartbleed … and when this DDos attack hit, the NSA used it to gather intelligence.

Here, we could make two observations. First, the NSA never has enough intelligence (kinda like Google). Second, there doesn’t appear to be enough intelligence at NameCheap, either, if it expect us to put a happy face on this. You can’t have it both ways. Namecheap says on the one hand it’s likely that users were affected, then says its stuff wasn’t affected, and then says users should change their passwords.

Hmmm.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Information

This entry was posted on April 11, 2014 by in Geek, Musings and tagged , , , .
%d bloggers like this: