Nothing in cyberspace is sacred
In one of the oddest letters to its users I have seen, the NameCheap hosting company finally – on April 11 – sent out an e-mail blast to its users addressing the Heartbleed security breach.
And here it is …
“A critical OpenSSL vulnerability nicknamed “Heartbleed” was discovered recently. IMPORTANT: It is very likely that you are impacted by this vulnerability. Read on for more info.
Details you should know:
1. This is not a vulnerability with SSL Certificates or Namecheap.
2. SSL/TLS is not broken, nor are the digital certificates issued by Comodo or Symantec brands.
3. Users of OpenSSL versions 1.0.1 through 1.0.1f with the heartbeat extension enabled are affected. OpenSSL version 1.0.1g addresses the vulnerability, as well as OpenSSL instances compiled without the heartbeat extension.
4. As a precaution to protect your data, we highly recommend that all Namecheap users change their account passwords.
We have created a detailed Knowledgebase article where you can learn about Heartbleed, determine whether you are affected, and find out what to do next. Please read the article as soon as you can. It’s located here: https://www.namecheap.com/support/knowledgebase/article.aspx/9343“
So, in points number 1-3, NameCheap says that nothing happened. But in Point No. 4, it tells everyone to change their server passwords.
Huh? If nothing was affected, why should everyone change their passwords? This sure sounds like they don’t want anyone to know how vulnerable they were.
NSA would be proud. And speaking of the National Security Agency, it knew about Heartbleed … and when this DDos attack hit, the NSA used it to gather intelligence.
Here, we could make two observations. First, the NSA never has enough intelligence (kinda like Google). Second, there doesn’t appear to be enough intelligence at NameCheap, either, if it expect us to put a happy face on this. You can’t have it both ways. Namecheap says on the one hand it’s likely that users were affected, then says its stuff wasn’t affected, and then says users should change their passwords.