I know it's highly unlikely the website and forum here would be targeted and is likely a 1/1000000000 chance and that's being generous, still it's better to be safer than sorry. Seeing as the forum uses SSL and more likely OpenSSL is the version of OpenSSL vulnerable or has been patched? I don't think the website/forum uses any certs as certs are very costly but OpenSSL should probably be updated to the latest patched version if it hasn't already just to be on the safe sides and close any holes.
Hearbleed bug/exploit?
|
04-14-2014, 06:25 PM
1. www/forums/wiki have never implemented TLS heartbeats and thus aren't vulnerable.
2. buildbot/fifoci/dl/... were vulnerable for a short period of time but likely not enough to steal SSL keys, and they do not carry any user credentials. 04-14-2014, 08:59 PM
I didn't know the full details of the exploit other than it being a flaw with OpenSSL, thanks for clarifying. Not that these forums or the project would have been a targets other than maybe poking private repos or sections for teh best unrelease dolphin build eva that runs 1000 fps on Android or a Pentium 4 lol. There are bigger fish to go after but even so in my experience it's better to be safer than sorry and observed the forum using OpenSSL so I thought I would mention it since no one else has so far. I knew there wasn't much reason to worry since there are no certs since they are very costly, I heard a $1000 per cert. So it's nice to know that exploit is a non issue, OpenSSL is not a sole factor and it requires TLS heartbeats and signed certs with keys to be any use to anyone.
04-15-2014, 02:27 AM
Uh, we have proper signed SSL certificates. If we did not your browser would complain about it. And no, they don't cost $1000 a cert - we pay 120 euros/year.
04-15-2014, 04:25 AM
Well someone mentioned elsewhere they can run between $500 to $1000 and are very costly. Since OpenSSL can be used without certificates I presumed that's how it was here, just basic OpenSSL encryption without certificates.
That's not how the internet works, sorry. If you want to have a secure website you have to pay the certificate authority mafia. Not that there is any better way to do it atm.
04-15-2014, 08:21 AM
Well I don't really know how it's set up on the backend here. I know when I managed a vps it had OpenSSL installed for the control panel and could use it for web sites without a certificate. Sure, it wasn't security like a certificate would provide but if OpenSSL was installed and used by the control panel by default it must have at least provided a basic layer of security.
I honestly didn't mean for this to devolve into a long winded discussion and debate. I admit I don't really know much about web design and web security except some basic stuff server side, I never had to deal with certificates or coding and patching holes if it wasn't as simple as running an update or replacing a php file. I purchased the vps, updated packages, installed or compiled any needed packages and did guided hardening of the server and this was made easier due to Cpanel. |
« Next Oldest | Next Newest »
|
Users browsing this thread: 1 Guest(s)