View unanswered posts | View active topics It is currently Thu Mar 28, 2024 7:28 pm



← Back to the Calcudoku puzzle page




Reply to topic  [ 3 posts ] 
 on the "heartbleed" bug 
Author Message
User avatar

Posted on: Thu Apr 10, 2014 9:02 am




Posts: 3296
Joined: Thu May 12, 2011 11:58 pm
 on the "heartbleed" bug
A few hours after this bug became known (see for more info your newspaper and http://heartbleed.com)
I patched the calcudoku.org server so it is no longer vulnerable (see screenshot below, you can
test your server at http://filippo.io/Heartbleed).

Later I reverted to an older version of the "openssl" library just to double-check the server was
indeed vulnerable, and it was (!) This means that should someone have targeted calcudoku.org,
they could have read usernames + passwords without leaving a trace.

This is easily the most serious security problem since the start of the internet [sad]

Patrick

Image


Profile
User avatar

Posted on: Thu Apr 10, 2014 10:26 am




Posts: 3296
Joined: Thu May 12, 2011 11:58 pm
Post Re: on the "heartbleed" bug
A much more sophisticated site security test is available at:

https://www.ssllabs.com/ssltest


Profile
User avatar

Posted on: Thu Apr 10, 2014 2:51 pm




Posts: 300
Joined: Fri Jun 17, 2011 8:15 pm
Post Re: on the "heartbleed" bug
pnm wrote:
This means that should someone have targeted calcudoku.org,
they could have read usernames + passwords without leaving a trace.

This is easily the most serious security problem since the start of the internet [sad]

Patrick


This is a huge security issue and saying it is the most serious in internet history is really not an exaggeration.

People should test URLs for every site they log into, particularly anywhere they make financial transactions of any kind - banking, commerce, etc.. If the site fails, DON'T log in to it. Test it again later and once it is secure then log in and change your password. You might check the site to see if there are notifications about the administrators' plans but again, you probably shouldn't log in.

And Patrick has shown something important with his test using the older version of openssl. If the site passes the first time you check it then log in and change your password. It could be that it was never vulnerable or it could be that it was vulnerable and has since been remediated.

I know what I'll be doing this weekend...

PS Nice job on the prompt response to this issue, Patrick. Thanks!


Profile
Display posts from previous:  Sort by  
Reply to topic   [ 3 posts ] 

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
All forum contents © Patrick Min, and by the post authors.

Forum software phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by STSoftware.