Calcudoku puzzle forum
http://www.calcudoku.org/forum/

on the "heartbleed" bug
http://www.calcudoku.org/forum/viewtopic.php?f=5&t=582
Page 1 of 1

Author:  pnm  [ Thu Apr 10, 2014 9:02 am ]
Post subject:  on the "heartbleed" bug

A few hours after this bug became known (see for more info your newspaper and http://heartbleed.com)
I patched the calcudoku.org server so it is no longer vulnerable (see screenshot below, you can
test your server at http://filippo.io/Heartbleed).

Later I reverted to an older version of the "openssl" library just to double-check the server was
indeed vulnerable, and it was (!) This means that should someone have targeted calcudoku.org,
they could have read usernames + passwords without leaving a trace.

This is easily the most serious security problem since the start of the internet [sad]

Patrick

Image

Author:  pnm  [ Thu Apr 10, 2014 10:26 am ]
Post subject:  Re: on the "heartbleed" bug

A much more sophisticated site security test is available at:

https://www.ssllabs.com/ssltest

Author:  jaek  [ Thu Apr 10, 2014 2:51 pm ]
Post subject:  Re: on the "heartbleed" bug

pnm wrote:
This means that should someone have targeted calcudoku.org,
they could have read usernames + passwords without leaving a trace.

This is easily the most serious security problem since the start of the internet [sad]

Patrick


This is a huge security issue and saying it is the most serious in internet history is really not an exaggeration.

People should test URLs for every site they log into, particularly anywhere they make financial transactions of any kind - banking, commerce, etc.. If the site fails, DON'T log in to it. Test it again later and once it is secure then log in and change your password. You might check the site to see if there are notifications about the administrators' plans but again, you probably shouldn't log in.

And Patrick has shown something important with his test using the older version of openssl. If the site passes the first time you check it then log in and change your password. It could be that it was never vulnerable or it could be that it was vulnerable and has since been remediated.

I know what I'll be doing this weekend...

PS Nice job on the prompt response to this issue, Patrick. Thanks!

Page 1 of 1 All times are UTC + 1 hour [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/