Heartbleed Update

Loremonger

According to lastpass.com, Brick Owl is using Apache and is vulnerable to the Heartbleed OpenSSL bug. Can we expect a patch soon?

budgetkids

@Admin this is a serious vulnerability and would like this to be priority over all work you may be doing to this website.
This needs to get patched immediately.

Sorry if I seem demanding. I am a nut when it comes to security... you should see my home system lol.

Lawrence

Thats interesting. It would appear that checker states that a website is vulnerable if it runs OpenSSL. Brick Owl was patched within a few hours of the vulnerability being announced on Tuesday night, it took a while for me to build the package from source on the backup server and check that it didn't have any unintended consequences. I have yet to re-issue the SSL certificate, but I can confirm the Heartbleed vulnerability has been patched.

Thor

What IS the Heartbleed vulnerability and why should it be of concern to us members? Please try to explain it in layman's terms if you can. Thanks!

Thor

johnsma2000

Thor,
You will find a pretty good and simple explanation of what it is here: http://heartbleed.com/.
I looked this up too. I had no idea either.
Melissa

Graham

TFTL Melissa,

does this affect home pc's and would this show as an upload connection in Little Snitch (mDNSResponder) - ive had this several times now computor (Apple) running slow on line then notice the upload flat out, which I interupted by switching off wi-fi and swithcing it back on again.

mDNSResponder is a locked rule allowing any connection in Little Snitch

Thanks G

Loremonger

@Admin Thanks. I was assuming that lastpass might be seeing old data, but just wanted to make sure. Thanks for taking care of this so quickly.

@Everybody Now, go changes your passwords and security questions. Here, and on every website where you use one. Heart Bleed allows attackers to download packets of unencrypted information from any site using the vulnerable version of OpenSSL without leaving a trace of the attack. If your information has been compromised, neither you or the organization that owns the web site would know.

Most sites are moving quickly to upgrade their OpenSSL, but in the time your information was exposed, you have no way of knowing what information was stolen and what wasn't.

Markyd7

@loremonger if a website hasn't been updated will changing password make any difference?

DagsBricks

@Everybody Now, go changes your passwords and security questions. Here, and on every website where you use one.

According to info from my banks (most crucial websites IMHO) they don't use OpenSSL so I shouldn't be worried. Apparently my info has never been compromised. I'm not saying we shouldn't be concerned, just check into it before giving yourself the headache of changing every last password. Site blogs are a good place to look if there are no announcements in the header.

Brian

Loremonger

@Markyd7 Good point. If a site hasn't been patched, then there's no point changing your info until it is. Of course, if a vulnerable site hasn't been patched yet, I would stop doing business with them.

@DagsBricks Most banks don't use OpenSSL, but it's worth looking into. (Actually, events like this are what make banks still using old IBM mainframes happy they never, ever upgrade.) Honestly, I couldn't bring myself to do the chore last night. Actually, Mashable has a useful guide.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Google is the most obvious change. I've use a lot of their services, including Wallet.

Graham

This maybe of interest, I use an app called 1 Password, it generates strong passwords and stores them away from the library/key chain, it is unlocked by a more easy to remember password that isn't stored anywhere outside the app - Ive found it very useful - it may just be for Mac tho..

DagsBricks

My Google account is protected by a two step process. If anyone logs in from a non-authorized computer, I get a phone call with a 6 digit code to enter. That code needs to be entered into that session screen to allow login. Not that I'm not willing to change my password, just thankful for the extra layer of protection.

Brian

budgetkids

A more comprehensive scan can be done here if you want to know more than just the "Heart Bleed Bug"

https://www.ssllabs.com/ssltest/

It will test and grade the website with its findings on website security. BrickOwl receives an "A-" while other websites we may frequent are not so well off with security. Give it a try and see what you find!

Great job Admin!
Chris

DagsBricks

The other site seems to be safe because it is so outdated. But it also receives low scores because it is so outdated...?

Brian

budgetkids

I am not going to pretend to know what is means exactly. But from the scan it is rated that due to the website using "SSL 2 which is obsolete and outdated" according to the scan.
Maybe the tech gurus could elaborate as I am not one of them?

Chris

EDIT: I found this article and am reading it now:
http://contextis.com/research/blog/server-technologies-ssl2-should-it-keep-you-awake-/

Stragus

I'll copy my reply from somewhere else to a very similar question .

Any browser after ~2002 will support SSL 3 which they'll favor over SSL 2.
The server's support for weak encryption is not really an issue if no one
uses it...

The server would just let someone with a old browser log in, and someone intercepting
the traffic could potentially extract the login information. This is far less
dangerous than the OpenSSL bug.

figbits

What IS the Heartbleed vulnerability and why should it be of concern to us members? Please try to explain it in layman's terms if you can. Thanks!

http://xkcd.com/1354/