26 Sep

Security Advisory – Critical Bash Shell Vulnerability – Fix Available

Last Updated on September 26, 2014 by Ruchir Shastri

A vulnerability has recently been disclosed in Bash (the GNU Bourne Again shell) which affects all systems running Linux. This vulnerability allows programs that allow users to provide values for variables to execute arbitrary commands with the privileges of the service. This issue does not permit direct privilege escalation. It has been assigned the ID CVE-2014-6271 [1] in the Common Vunerabilities and Exposures database. It has been given the nickname “Shellshock.”

CentOS and Debian patched this vulnerability partially on September 24, 2014 and issued further fixes on September 25, 2014 under new ID
CVE-2014-7169 [2]. To apply the fixes, you need only update the version of your installed Bash program. If you have created any services that run entirely as a Bash shell script, you should restart those services after updating. Bash-based services are not common.

Windows and FreeBSD servers do not use Bash by default and are not generally affected. If you have installed Bash on your server manually, you should make sure it is up to date using the process by which you originally installed it.

Please review the sections below to determine how to update Bash on your server.


To check which version of Bash is installed, run the following

rpm -q bash

The version number should be greater than or equal than one of the

* CentOS 5: bash-3.2-33.el5_10.4
* CentOS 6: bash-4.1.2-15.el6_5.2
* CentOS 7: bash-4.2.45-5.el7_0.4

The important portion of the version number is the part beginning with “.elX_” where X is 5, 6, or 7. If you read the part after the “_” as a decimal number, it must be greater than or equal than the version listed. For example, for “.el6_” the number should be “5.2” or any higher number.

If your version does not match, please run the following command and ensure an update to the bash package is included:

yum -y update bash

If no update is available, please try the following commands, then repeat the command above:

yum clean metadata

Red Hat published the following advisories regarding this

* https://access.redhat.com/security/cve/CVE-2014-6271
* https://access.redhat.com/security/cve/CVE-2014-7169
* https://rhn.redhat.com/errata/RHSA-2014-1293.html
* https://rhn.redhat.com/errata/RHSA-2014-1306.html
* https://access.redhat.com/articles/1200223


To check which version of Bash is installed, run the following

dpkg -s bash | grep Version

The version number should be greater than or equal to 4.2+dfsg-0.1+deb7u3.

The notable part to look for is the “+deb7u3” at the end. If the last number is not 3 or higher, or the part after “+” is missing, you will need to upgrade. If your version does not match, please run the following command and ensure an update to the bash package is

apt-get update
apt-get install -y bash

Debian published the following advisory regarding this vulnerability:

* https://www.debian.org/security/2014/dsa-3032
* https://www.debian.org/security/2014/dsa-3035

14 Sep

HTTPS / SSL Encryption – Do it for web security or Google Ranking Boost?

Last Updated on September 14, 2014 by Ruchir Shastri

Google is working to make the internet safe and to take an initiative, they have adopted HTTPS encryption for their own main domain and sub-domains. It means, a secured connection is setup every time when accessing Google Search, Gmail and Google drive sub-domains.

After months of experiment in Search Ranking algorithms for the inclusion of https links, Google decided to consider https, a very lightweight signal for the minor ranking boost. Also Google mentioned that element would only have impact on “fewer than 1% of global search queries”. Although this signal is not given much weight compared to High Quality Content but as per the following phrase, they may give importance in future.

But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

On March 2014 in SMX West event, Matt Cutts, Google’s head of search spam, once expressed to include HTTPS as one of the ranking factor in Google’s algorithm. And Google had made it reality in less than five months of announcement.


Full form for HTTPS is Hyper Text Transfer Protocol Secure and SSL Stands for Secure Sockets Locket. HTTPs is the secure version of the http, while SSL is the protocol to provide secure connection between user and website. HTTPS is mostly used on E-commerce websites to make all safe transactions for online banking sites or checkout areas and also with registrations pages to secure the data.

When a visitor access HTTPS website, it undergoes encryption session with a Digital SSL Certificate, which helps stoppage of anyone other to interfere or access the data transfer. Well known browsers shows padlock icon and https:// in the address bar to show the visitors that website is secured by HTTPs.  There will be additional green address bar highlighting for the website owners with extended validation SSL certificates.

Benefits of https

  • Stoppage of man-in-the-middle attacks,
  • HTTPS could give ranking boost in search results
  • Total Privacy of User data like browsing history and credit card numbers.


  • Page Load speed: There will be increase in page load time by adopting secured encryption for your site, as HTTPS requires one more communication between servers.
  • Redirection: Make sure to do proper http to https redirection and other canonicalization issues to avoid any keyword penalty.

Just a Tip:

1)      Google has incorporated the addition of HTTPs sites and reporting on them.

2)      There is no influence on rankings, depending on the type of certificate you use. For now. (Extended Validation, Organisation Validation or Domain Validation)

3)      You will notice the increase in “Direct Traffic” if your website is in “http” version. This is due to the traffic passes from a HTTPS site to a HTTP site, there is no idea from where it is coming from.

To get started with HTTPs, here are some of the basic tips as included in their blog:

  • Decide the kind of certificate you need:
    • Single (www.website.com)
    • Multi-domain (www.website.com, www.subdomain.website.com, www.website.net)
    • Wildcard (www.website.com, www.subdomain1.website.com, www.subdomain2.website.com, etc.)
  • Use 2048-bit key certificates
  • Use relative URLs for resources that reside on the same secure domain
  • Use protocol relative URLs for all other domains
  • Check out our Site move article for more guidelines on how to change your website’s address
  • Don’t block your HTTPS site from crawling using robots.txt
  • Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag


Going for HTTPS depends on the business, whether it is just informational or E-commerce. There has been increase in number of attacks from various malwares, Internet Fraud and session hijacking. This leads putting your business and reputation at risk. Nowadays, after suffering from various cybercrime, peoples are getting aware and doing online activities at secured and trusted websites.

At this point of time, instead of looking at the small weightage of ranking boost, website owners should be more careful to the security and trust. No Miracle going to happen for keyword ranking by https and Google is pushing for safety and more improved online security.