Support the Arctic Sea Ice Forum and Blog

Author Topic: SSL vulnerability  (Read 2357 times)

sidd

  • First-year ice
  • Posts: 5205
    • View Profile
  • Liked: 514
  • Likes Given: 0
SSL vulnerability
« on: April 10, 2014, 05:38:20 AM »
I am sure the administrators have fixed this ? But it would be nice to have an assurance. Logs should show if it was exploited, perhaps ?

sidd

DungeonMaster

  • Administrator
  • Frazil ice
  • *****
  • Posts: 148
    • View Profile
  • Liked: 14
  • Likes Given: 3
Re: SSL vulnerability
« Reply #1 on: April 10, 2014, 09:23:39 AM »
Hi Sidd  :)

I spent the night verifying all the servers I administer, a fixing a couple of them. The forum is NOT affected and NEVER was - so no information leaked from here. I issued the News on the forum before actually reading your message ;)

Unfortunately this bug leaves no trace in any log... It's not even sure yet if special systems Intrusion Detection Systems (IDS) can be tuned to catch this... So the big problem is that nobody knows if this vuln was exploited and if bank, e-commerce... servers were under attack.

I you use the same password in many places : change it here safely now, on other places when they're fixed.

You can check if a server is safe on http://filippo.io/Heartbleed/ (if that server doesn't melt under queries !). If the sites you use are not safe yet, try not to log in until they're fixed; then change your password.

http://heartbleed.com/ has a very good reference.
This forum helps me to feel less uncomfortable about "doing something" about the melting Arctic and the warming world.
Read again  Maslowski paper : why Arctic could melt in 2016 +/- 3Y !

wili

  • Young ice
  • Posts: 2617
    • View Profile
  • Liked: 189
  • Likes Given: 309
Re: SSL vulnerability
« Reply #2 on: April 10, 2014, 08:09:32 PM »
I'm probably the only one that needs to ask this dumb of a question, but what are the exact steps I need to take to change my password on this forum? Thanks ahead of time for any directions, and for all your work.
"A force de chercher de bonnes raisons, on en trouve; on les dit; et après on y tient, non pas tant parce qu'elles sont bonnes que pour ne pas se démentir." Choderlos de Laclos "You struggle to come up with some valid reasons, then cling to them, not because they're good, but just to not back down."

sidd

  • First-year ice
  • Posts: 5205
    • View Profile
  • Liked: 514
  • Likes Given: 0
Re: SSL vulnerability
« Reply #3 on: April 10, 2014, 08:24:17 PM »
I believe that there are some log traces that can be used, i seem to recall something on schneier's blog about it. But if you did not use the vulnerable versions, you are ok.

Note: this vulnerability can be reversed by malicious servers to attack vulnerable clients also ...

sidd