News / Security

Mar 3, 2020

All Let's Encrypt Certificates Affected by the CAA Rechecking Bug Have Been Reissued

On February 29, 2020, Let’s Encrypt found a bug in their Certificate Authority Authorization (CAA) code related to their CA software called Boulder. Over three million certificates issued by Let's Encrypt were affected. The bug itself, as per the official 2020.02.29 CAA Rechecking Bug thread, was:

The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

All hosting plans we offer include free SSL certificates by Let's Encrypt, and a lot of our customers use them, which meant that many websites would be affected.

At ICDSoft we take such issues very seriously, and our team took immediate action. We checked for any affected certificates on our servers in order to reissue them accordingly. There were 128 SSL certificates that had been affected by the CAA rechecking bug, and they have all been successfully reissued. As a result, no customer of ICDSoft experienced any SSL-related issues caused by this bug and the subsequent revocation by Let's Encrypt of all affected certificates.

May 18, 2019

Microarchitectural Data Sampling (MDS) vulnerabilities patched on all ICDSoft servers

In regards to the recently discovered MDS vulnerabilities (also known as Zombieload, RIDL, and Fallout) in Intel CPUs, we want to assure our clients that all of our machines have been secured. Since our servers use Intel CPUs, our system administrators have applied the necessary security updates in order to protect our customers from these Microarchitectural Data Sampling vulnerabilities.

We take security very seriously, and although we aren't aware of any real world attack, we cannot risk having such a security hole in our server configuration.

Apr 5, 2019

ICDSoft servers not affected by Apache vulnerability CVE-2019-0211

A privilege escalation vulnerability (CVE-2019-0211) in the Apache web server was recently discovered. This vulnerability is particularly bad for some shared hosting providers, as it may allow unprivileged scripts to take over the main Apache process.

The Apache instances running on our servers are not affected by this vulnerability, as they are protected by the suEXEC security mechanism. Nonetheless, since our system administrators regularly update all software on our servers, a patch for this vulnerability has already been applied.

Jan 8, 2018

Meltdown, security issue resolved

If you are following news on the Internet, and especially if you have any interest in security matters, then probably you have heard about Meltdown. This is a security vulnerability in popular CPUs, that affects most devices on the Internet, including servers, personal computers, and smartphones. Although the technical details of the vulnerabiliy are rather long, in a summary - they allow unauthorized access to system resources and sensitive data between users, programs, and virtualization platforms.

Our servers were also among the devices that were possibly affected by Meltdown.

Over the weekend, our system administrators performed emergency software updates on our production servers, including kernel updates that fix the Meltdown vulnerability.

Security is a primary concern for us, and our customers can rest assured that we are putting 100% effort to resolve any security issues as soon as possible.

Oct 11, 2016

Let's Encrypt certificates

Today, our in-house developed hosting Control Panel got another feature - an installation utility for the SSL certificates of Let's Encrypt. Our customers can now install Let's Encrypt certificates for any of the domains they host with us.

Let's Encrypt is a certificate authority that provides free domain-validated SSL certificates. Its activity is aimed towards providing secure connection between users and servers, and making encrypted communication a standard on the Internet.

The new utility in the hosting Control Panel provides very easy installation and management of Let's Encrypt certificates - a certificate is requested with a single click, and the whole validation process and following renewals are done automatically on the server side.

The use of Let's Encrypt certificates on our servers is completely free for our customers.

ICDSoft News Company Resellers Security Technical

1 2

All prices are in USD and include VAT. No setup fees. Minimum contract period for shared hosting services - 12 months. Full prepayment for the contract period. 100-day money-back guarantee. No automatic renewal. Fees for domain registrations and SSL certificates cannot be refunded in case of an early contract termination.

ICDSoft 2001-2020 © All rights reserved Terms of use | Legal notice | Privacy | Reseller terms