POODLE Attack!

You may have heard the recent information about the POODLE attack. Essentially this is an issue where SSL connections may revert to the known-unsafe SSLV3 protocol. There's really no fix for SSL V3, but there IS a cure that amounts to disabling the fallback to older SSL protocols such as V3. We're going to be doing two things about this:

  1. We are in the process of rolling out the recent Openssl fix that uses TLS_FALLBACK_SCSV to stop the rollback to older SSL protocols
  2. We are in the process of setting up to make our SSL servers no longer accept EITHER SSL2 or SSL3 as protocols.   This is really the right thing to do, but it WILL mean that people using browsers that do not understand recent secure connection protocols will be in trouble.  This specifically includes old versions of IE. The upshot of this is that once this is completed, people on Windows XP will no longer be able to make secure connections to our servers (with IE).  We see this as a minor issue compared to the possibility of compromised security.  We are NOT doing this step in the near future, but will be doing it as a normal consequence of a larger operating system upgrade some time in the next few months.

More details on POODLE below the fold:

Drupal 7.32

It's security update day in Drupal land.  Drupal 7.31 has a fairly serious SQL Injection vulnerability, which is fixed in Drupal 7.32. At the moment we're testing Drupal 7.32 (already did this site) and will be rolling it out on sites that are under maintenance for us as the day goes on.

This is in fact a REALLY serious problem and exploits are already in the wild.

We strongly advise that people do this upgrade.

Bash Security Issue - update

Update -

New versions of bash were released overnight that fix the remaining security flaws in the shell. We are in the process of rolling out the second patech to all of our servers and will be finished some time around 10 AM Central Time.

Some of you may have seen the news yesterday about a serious bug in bash allowing code injection.  We are currently in the process of applying updates to all of our servers for this security issue.  Unfortunately it has been discovered that the current available updates are only a partial solution.  We are installing the partial upgrade and looking into some security workarounds until such time that we receive new patches from CentOS.  We're working to continue to provide security to our customers.

Why Host With Us?

We have a special niche in web hosting.  We provide high quality performance-oriented web hosting for CMS systems. Unlike the low-priced commodity web hosts, we have servers set up to support CMS right out of the box. You won't see a lot of the common errors with web hosting that you'll see with non-specialized hosts (running out of PHP memory on a small site, too-small packet sizes for your database, no support for InnoDB on Mysql, etc.) even if you are on one of our shared hosting plans. We understand the needs of CMS users and provide useful plans for a CMS at all price levels.

We also particularly are committed to Drupal hosting. We have a wide range of hosting abilities for Drupal, and can tune a hosting instance to your needs.  Whether you need shared, VPS, or dedicated hosting, we can help you.  We also run clients with multiple-machine hosting (usually multiple VPS's) where each machine is tuned to a special need, like Varnish, MySQL, or PHP hosting, as well as supporting redundant database backends and multiple web servers.

What We Do

Cruiskeen Consulting is a general Internet consulting company, and we do multiple things. Primarily we provide high-capacity custom hosting for people who need high-performance reliable hosting for their Content Management Systems sites.  We primarily work with Drupal, and also do Drupal consulting and web design. Our hosting is tuned to be optimized for Drupal use, although it is also very effective for Wordpress sites.

Our servers are set up for the Drupal developer, and have Drush, git, and other useful services pre-installed.  We will happily work with you to provide other custom services for your site, such as Varnish, Apache Solr, and memcached. Our servers all use the APC PHP cache and our default MySQL servers are set up to be successful for using Drupal.

Pages

Subscribe to Cruiskeen Consulting LLC RSS