PHP 5.4.41, 5.5.25 and 5.6.9

The PHP developers recently released versions 5.4.41, 5.5.25 and 5.6.9 that fix several bugs. We’ve upgraded PHP 5.4, 5.5 and 5.6 on our servers as a result.

In addition, ionCube Loader has been updated to the current version 5.0.6.

These changes should not be noticeable, but in the unlikely event you experience any trouble, don’t hesitate to contact us.

Memorial Day 2015 holiday hours

Our business offices will be closed on Monday, May 25 to observe the US legal holiday. As always, we’ll provide same-day support for time-sensitive issues via our ticket and e-mail systems. However, questions that aren’t time-sensitive (including most billing matters) may not be answered until the next day, and telephone support (via callbacks) will be available only for urgent problems.

Cleaning compromised sites while moving them to Tiger Technologies

One issue we (unfortunately) have lots of experience with is fixing a WordPress site after we discover it’s been “hacked”. We have many tools in place to catch this when it happens, and in most cases we can then use our logs and file timestamps to:

  • find the exact time the site was compromised;
  • identify the underlying security problem (almost always an outdated plugin or theme);
  • restore an uninfected copy of the site from a backup;
  • update the plugin or theme to prevent a recurrence.

However, there’s one case where this doesn’t work: when a customer is migrating a compromised site from another hosting company to ours, so we don’t have logs, accurate timestamps, or backups from the time of the problem. If the customer doesn’t know what happened, the site is almost certainly still vulnerable to “hackers”. Security experts agree that in this situation, the only safe course is to start over with a new set of script files.

However, when we make this recommendation to customers, we often hear something that surprises us. They tell us they’ve removed the individual files our tools identified as malicious, but they don’t think they need to do anything else because the rest of the site seems fine. This is rarely true, for two reasons.

Read the rest of this entry »

Mailman mailing list software upgraded to version 2.1.20; Mailman 3 status

The authors of the Mailman mailing list software we provide for customers have recently released versions 2.1.19 and 2.1.20 to fix several bugs.

We’ve upgraded the Mailman software on our servers from version 2.1.18 to 2.1.20 as a result.

Users of Mailman lists shouldn’t notice any changes, but as always, don’t hesitate to contact us if you have any questions or see any problems.

Read the rest of this entry »

Disabling SSLv3 and TLS 1.0

If you use an SSL certificate on a site you host with us, we now offer more control over the SSL/TLS protocol versions your site uses.

Old protocol versions, including SSL version 3 (“SSLv3″) and TLS version 1.0, are no longer considered secure. You can now disable these to improve security, at the expense of preventing some older, less-secure browsers from making SSL or TLS connections. Some credit card companies are starting to require that SSLv3 and TLS 1.0 both be disabled.

You can disable them in our “My Account” control panel:

  • Login to the control panel
  • Click SSL Certificate
  • Scroll down the page to the bottom of the “SSL/TLS protocol version settings” section
  • Click show options

What will happen if I disable some protocols?

If you disable only SSLv3, visitors using Internet Explorer 6 and earlier on Windows XP will no longer be able to connect securely. Almost nobody uses Internet Explorer 6 anymore, so this is almost always safe (and recommended).

Disabling TLS 1.0 is more of a problem. If you do this, you can expect secure connections to work only with modern browsers released in the last couple of years. The minimum versions are:

  • Google Chrome 22, released in 2012
  • Mozilla Firefox 27, released in 2014
  • Internet Explorer 11, released in 2013
  • Safari 7, released in 2013
  • iOS 5, released in 2011

These are quite recent: for example, Internet Explorer 10, which won’t work by default, was still the most current version 18 months ago. If you disable TLS 1.0, visitors using browsers older than the versions above would simply see connection errors when accessing any secure “https” parts of your site.

Because of this, disabling TLS 1.0 doesn’t yet make sense unless you control the browsers of everyone who visits your site (for example, if it’s only accessed by employees), or you use a third-party service (such as a credit card company) that requires you to do it.

It was recently announced that the PCI compliance standards, which every site that accepts credit cards must meet, will require all sites to disable both SSLv3 and TLS 1.0 by June 30, 2016. Some PCI compliance companies want their customers to do it immediately. If they ask you to do so, you can often request an exemption by filling out a form explaining that you cannot disable TLS 1.0 yet because you have customers who have not upgraded their browsers, but that you will do so by June 2016. For example, this form is for the widely-used Trustwave PCI company.

PHP 5.4.40, 5.5.24 and 5.6.8

The PHP developers recently released versions 5.4.40, 5.5.24 and 5.6.8 that fix several bugs. We’ve upgraded PHP 5.4, 5.5 and 5.6 on our servers as a result.

These changes should not be noticeable, but in the unlikely event you experience any trouble, don’t hesitate to contact us.

In addition, the company that makes the Zend Guard Loader software has finally released versions compatible with PHP 5.5 and 5.6, so we’ve made that option available in the “PHP Settings” area of our My Account control panel (with all the usual caveats about why encoded scripts are inherently unreliable).

Brief MySQL scheduled maintenance May 1, 2015 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Friday May 1 2015, the MySQL database software on each of our servers will be upgraded from version 5.5.41 to 5.5.43. This will cause an approximately 60 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 9:43 PM Pacific time: The maintenance was completed as planned and all services are running normally.

Protection against the WordPress “large comment” security bug

The authors of WordPress today released version 4.2.1 that fixes a critical security bug.

While upgrading is always a good idea, we’ve blocked the attack for all versions of WordPress on all sites that we host. We’ve also verified using our MySQL binary logs that no sites were attacked before we started the blocking.

Read the rest of this entry »

Protection against the critical Magento “Shoplift” security bug

Researchers recently found a critical security bug in the widely used Magento e-commerce shopping cart software. If you use this software and don’t update it to fix the bug, “hackers” can easily take over your site, including potentially stealing the credit card numbers of your customers.

We’ve analyzed the Magento software our customers have installed and found that more than half is unpatched, despite the Magento team sending e-mail notices to Magento users in February.

“Hackers” are now beginning to exploit the bug. Because this is so dangerous, we yesterday added security rules to block these attacks even if you haven’t updated.

Although we’re confident that these rules block the current attacks (we’ve seen it block several live attacks, and it makes sites we host pass the useful Shoplift bug tester), you should still patch your site if you use Magento: using outdated versions of e-commerce software is always dangerous.

Read the rest of this entry »

Mail server SSL certificate renewed

We’ve renewed the SSL certificate on our mail servers (because it was due to expire soon).

Almost all customers shouldn’t notice any change, but if you read e-mail using a secure connection with an unusual mail program that doesn’t handle SSL connections properly, you might be asked to “accept” the new certificate.

Read the rest of this entry »