@Admin this is a serious vulnerability and would like this to be priority over all work you may be doing to this website. This needs to get patched immediately.
Sorry if I seem demanding. I am a nut when it comes to security... you should see my home system lol.
Thats interesting. It would appear that checker states that a website is vulnerable if it runs OpenSSL. Brick Owl was patched within a few hours of the vulnerability being announced on Tuesday night, it took a while for me to build the package from source on the backup server and check that it didn't have any unintended consequences. I have yet to re-issue the SSL certificate, but I can confirm the Heartbleed vulnerability has been patched.
Thor, You will find a pretty good and simple explanation of what it is here: http://heartbleed.com/. I looked this up too. I had no idea either. Melissa
does this affect home pc's and would this show as an upload connection in Little Snitch (mDNSResponder) - ive had this several times now computor (Apple) running slow on line then notice the upload flat out, which I interupted by switching off wi-fi and swithcing it back on again.
mDNSResponder is a locked rule allowing any connection in Little Snitch
@Admin Thanks. I was assuming that lastpass might be seeing old data, but just wanted to make sure. Thanks for taking care of this so quickly.
@Everybody Now, go changes your passwords and security questions. Here, and on every website where you use one. Heart Bleed allows attackers to download packets of unencrypted information from any site using the vulnerable version of OpenSSL without leaving a trace of the attack. If your information has been compromised, neither you or the organization that owns the web site would know.
Most sites are moving quickly to upgrade their OpenSSL, but in the time your information was exposed, you have no way of knowing what information was stolen and what wasn't.
@Everybody Now, go changes your passwords and security questions. Here, and on every website where you use one.
According to info from my banks (most crucial websites IMHO) they don't use OpenSSL so I shouldn't be worried. Apparently my info has never been compromised. I'm not saying we shouldn't be concerned, just check into it before giving yourself the headache of changing every last password. Site blogs are a good place to look if there are no announcements in the header.
@Markyd7 Good point. If a site hasn't been patched, then there's no point changing your info until it is. Of course, if a vulnerable site hasn't been patched yet, I would stop doing business with them.
@DagsBricks Most banks don't use OpenSSL, but it's worth looking into. (Actually, events like this are what make banks still using old IBM mainframes happy they never, ever upgrade.) Honestly, I couldn't bring myself to do the chore last night. Actually, Mashable has a useful guide.
This maybe of interest, I use an app called 1 Password, it generates strong passwords and stores them away from the library/key chain, it is unlocked by a more easy to remember password that isn't stored anywhere outside the app - Ive found it very useful - it may just be for Mac tho..
My Google account is protected by a two step process. If anyone logs in from a non-authorized computer, I get a phone call with a 6 digit code to enter. That code needs to be entered into that session screen to allow login. Not that I'm not willing to change my password, just thankful for the extra layer of protection.
It will test and grade the website with its findings on website security. BrickOwl receives an "A-" while other websites we may frequent are not so well off with security. Give it a try and see what you find!
I am not going to pretend to know what is means exactly. But from the scan it is rated that due to the website using "SSL 2 which is obsolete and outdated" according to the scan. Maybe the tech gurus could elaborate as I am not one of them?
I'll copy my reply from somewhere else to a very similar question .
Any browser after ~2002 will support SSL 3 which they'll favor over SSL 2. The server's support for weak encryption is not really an issue if no one uses it...
The server would just let someone with a old browser log in, and someone intercepting the traffic could potentially extract the login information. This is far less dangerous than the OpenSSL bug.
Comments
This needs to get patched immediately.
Sorry if I seem demanding. I am a nut when it comes to security... you should see my home system lol.
Thor
You will find a pretty good and simple explanation of what it is here: http://heartbleed.com/.
I looked this up too. I had no idea either.
Melissa
TFTL Melissa,
does this affect home pc's and would this show as an upload connection in Little Snitch (mDNSResponder) - ive had this several times now computor (Apple) running slow on line then notice the upload flat out, which I interupted by switching off wi-fi and swithcing it back on again.
mDNSResponder is a locked rule allowing any connection in Little Snitch
Thanks G
@Everybody Now, go changes your passwords and security questions. Here, and on every website where you use one. Heart Bleed allows attackers to download packets of unencrypted information from any site using the vulnerable version of OpenSSL without leaving a trace of the attack. If your information has been compromised, neither you or the organization that owns the web site would know.
Most sites are moving quickly to upgrade their OpenSSL, but in the time your information was exposed, you have no way of knowing what information was stolen and what wasn't.
Brian
@DagsBricks Most banks don't use OpenSSL, but it's worth looking into. (Actually, events like this are what make banks still using old IBM mainframes happy they never, ever upgrade.) Honestly, I couldn't bring myself to do the chore last night. Actually, Mashable has a useful guide.
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Google is the most obvious change. I've use a lot of their services, including Wallet.
This maybe of interest, I use an app called 1 Password, it generates strong passwords and stores them away from the library/key chain, it is unlocked by a more easy to remember password that isn't stored anywhere outside the app - Ive found it very useful - it may just be for Mac tho..
Brian
https://www.ssllabs.com/ssltest/
It will test and grade the website with its findings on website security. BrickOwl receives an "A-" while other websites we may frequent are not so well off with security. Give it a try and see what you find!
Great job Admin!
Chris
Brian
Maybe the tech gurus could elaborate as I am not one of them?
Chris
EDIT: I found this article and am reading it now:
http://contextis.com/research/blog/server-technologies-ssl2-should-it-keep-you-awake-/
Any browser after ~2002 will support SSL 3 which they'll favor over SSL 2.
The server's support for weak encryption is not really an issue if no one
uses it...
The server would just let someone with a old browser log in, and someone intercepting
the traffic could potentially extract the login information. This is far less
dangerous than the OpenSSL bug.