Industry News

ICANN Waives Registrar Insurance Requirement

ICANN has announced that Domain Registrars across the world no longer need to procure a comprehensive general liability (CGL) insurance in order to maintain their ICANN Accreditation.

Based on public comments received earlier this year, ICANN concluded that the requirement to carry $500,000 in CGL insurance was hindering the development of the domain name industry in certain parts of the world, particularly Africa and the Middle East. This insurance can be difficult to obtain and prohibitively expensive in the developing world.

A few Domain Registries, however, still need a CGL insurance from Registrars. For instance, Verisign (.com and .net) and Public Domain Registries (.org, .ngo and .ong) require $1,000,000 CGL Insurance from Registrars.

We definitely welcome ICANN’s decision. In the past, we’ve noticed that prospect partners from developing nations aren’t able to stand toe-to-toe with peers from developed nations because of the steep insurance required to get Accredited.

Got any queries on ICANN Accreditation? Feel free to reach out to us at sales@logicboxes.com

BONUS : Here’s 10 Reasons Why You Should Consider an ICANN Accreditation

Industry News

POODLE – Vulnerability in SSL 3.0 and how does it affect You

In a clear indication that underlines the importance of keeping software up-to-date, Google yesterday announced the uncovering of a bug in SSL 3.0, which is a standard of SSL that is 15 years old. The discovered bug, named POODLE, would render transactions originating from certain outdated browsers and/or Operating Systems vulnerable to attacks.

The key point, though, is that even though newer and more secure versions of SSL are out and are being used, browsers work with older protocols when connections fail. This means an attacker can cause connection problems with the intent of triggering a deprecated version of SSL, leading to the exploitation of the service and allowing for once-encrypted information to be seen in plain-text. The newly disclosed vulnerability in SSL 3.0 does exactly this. The term ‘POODLE’ is an acronym for Padding Oracle On Downgraded Legacy Encryption. You can read more about Google’s assessment of the bug on it’s Online Security Blog.

As soon as this flaw was announced, we removed access through SSL 3.0 to our servers and there is no reason to suspect any security breach. We strongly suggest that you take note of these developments and take steps to protect yourself against the POODLE loophole.

How does this affect you?

  • If you’re in the less than one percent of users relying on outdated browsers, simply download a newer client such as Mozilla Firefox or Google Chrome. The latest clients leverage a more secure protocol than SSL known as TLS and have the added benefit of updating automatically which can help you remain secure in the future!

  • If you are using Chrome, you can get rid of SSL 3.0 by using the command line flag –ssl-version-min=tls1 to do so.

  • If you are using the latest version of Firefox, it will be disabling SSL 3.0 in its November 25th update by default. However, you don’t have to wait for that update. Mozilla has created a plugin that will allow you to set the minimum SSL version that Firefox will accept. Some other workarounds to patch this vulnerability can be found here.

  • If you are using Internet Explorer 11, you can disable SSL 3.0 support by going to: Setting -> Internet Options -> Advanced Tab -> Uncheck “SSLv3″ under “Security”.

Further Reading:

We strongly suggest that you communicate the discovery of this bug and its remedy to all your clients.

If you’re a LogicBoxes Partner, stay tuned to our forums for further updates! Feel free to get in touch with us if you need any further information!

Industry News

The Heartbleed Bug – What’s going on!?

Heartbleed Bug

Image Source: Mashable.com

The internet is abuzz with reports on the Heartbleed Bug and how it could be one of the biggest security threats the Internet has ever seen. Earlier this week, security researchers announced a security flaw in OpenSSL (a popular data encryption standard) that gives hackers the ability to extract massive amount of data from the services that we use every day and assume are mostly secure. The bug has exposed the potential vulnerability on any machines powering services that transmit secure information, like Facebook and Gmail.

At LogicBoxes, we have already implemented remedial measures so as to secure the Businesses of our Partners from any further security threats due to this bug. In this blog post we’ll take you through:

  • What is the Heartbleed bug?
  • What steps are we taking?
  • What steps should you be taking?

What is the Heartbleed Bug?

Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by majority of sites on the web to encrypt transmitted data that users want to keep secure. It basically gives you a “secure line” when you’re sending an email or chatting on IM. Encryption works by making the data that is sent, look like illogical to anyone but the intended recipient.

Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, so it will send out what’s known as a “heartbeat,” a small packet of data that asks for a response.

Due to a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end of a connection into sending over data stored in its memory.

How bad is that?

It is really bad. Web servers can keep a lot of information in their active memory, including usernames, passwords, and even the content that users have uploaded to a service. This flaw, however, has worse implications as it makes it possible for hackers to steal encryption keys – the codes used to turn gibberish encrypted data into readable information. With encryption keys, hackers can intercept encrypted data moving to and from a site’s servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.

What steps are we taking?

The security of our Partners and their customers is our top priority. We began addressing this issue immediately upon disclosure and have successfully applied patches to all of our platforms. The likelihood that private information was compromised is very minimal due to the lack of a public exploit at the time of the disclosure.

We have updated the OpenSSL packages installed on all our Linux shared hosting servers. We have also re-issued Digital Certificates on affected web servers after moving to a patched version of OpenSSL.

As always, we will continue to work to protect the security of our Partners and their data.

What steps should you be taking?

The Heartbleed bug makes it practically impossible to detect history of abuse, but to be on the safer side, we strongly recommend that you change your Account passwords and also notify your customers to change their passwords. Not just that, we suggest that you should also change your passwords at other 3rd Party Services like Gmail, Facebook, etc.

For Partners selling Hosting and/or SSL certificates through us:

  • If you / your customers have purchased both Hosting and SSL Certificates for an installation from LogicBoxes, follow steps 1 and 3 below
  • If you / your customers have purchased Hosting from LogicBoxes and have SSL enabled on it with an SSL Certificate from a 3rd party vendor for your installation, follow steps 2 and 3 below
  • If you / your customers have purchased SSL Certificated from LogicBoxes but host with a 3rd party provider, follow step 1 below and reinstall the Certificate according to the instructions of your hosting provider
    1. Re-issue the SSL certificate from the OrderBox control panel by referring to the steps mentioned in the following KB article : http://manage.logicboxes.com/kb/servlet/KBServlet/faq1094.html
    2. Contact the SSL Certificate vendor to re-issue the SSL certificate. Once the SSL certificates are re-issued, you will need to install the new certificates under the hosting packages
    3. Install the reissued SSL Certificate by following the instructions relevant to you from the below options:
  • Also, partners reselling Hosting through us can use the force password reset option in WHM to ensure that all your hosting customers change their passwords

For Partners using LogicBoxes API:

We strongly recommend that you regenerate your API key by logging into your Control Panel and navigating to Settings >> API and clicking on the ‘Regenerate’ icon to get your revised API key. Update your API calls to use the new key.

Further Reading

If you are a Logicboxes Partner and require any further information regarding the Heartbleed Bug, please feel free to get in touch your Account Manager.

That’s it for our update on the Heartbleed bug. Have something to add to this post? Do share it in the comments.