Site vulnerability to the Heartbleed SSL bug

[The Meal]

Per the heartbleed chrome extension, OO is showing up as vulnerable to this Heartbleed vulnerability, as discussed in this EBG thread:

[FishPants]

Appreciate the feedback, but that's not the case. I patched this on bug report/patch release.

Code: Select all

Looking for TLS extensions on https://www.octopusoverlords.com

ext 65281 (renegotiation info, length=1)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 works: Your server appears to be patched against this bug.

Checking your certificate
Certificate has NOT been reissued since the 0day. <-- Your stuff may be compromised. Consider changing the certificate and passwords.

[Pyperkub]

Per the heartbleed chrome extension, OO is showing up as vulnerable to this Heartbleed vulnerability, as discussed in this EBG thread:

Real link,as that link is kind of hidden in the colon, and requires wading through the muck to find the updated issue.

Meal are you trying to tell us something?

[IceBear]

Earlier this morning the Chrome extension was giving a warning that this site was vulnerable. It's not doing it now for what it's worth

Edit: And suddenly it popped up twice when I went to the Bargin Bin subforum.

[Carpet_pissr]

But does it matter (for this site)? It's not like we have billing information or personal data forms on here, right?

Or is the concern that the password used for OO could be compromised (for those that use the same password for other sites)?

[IceBear]

But does it matter (for this site)? It's not like we have billing information or personal data forms on here, right?

Or is the concern that the password used for OO could be compromised (for those that use the same password for other sites)?

Yeah, I'm not too concerned as the only info here is my password that I don't use anywhere else...was just pointing it out that the tool is claiming it's vulnerable (but it can apparently give false positives from what I read somewhere)

[Pyperkub]

Probably most important for Fishpants, Rip and other db/site admins. I've always assumed my password here was quite insecure.

[IceBear]

Yup... That's why I never even bothered getting keypass to generate one for me... Though I suppose I should...

[FishPants]

The tools being used are being saturated with requests -- when this first broke and some free online tools were available, some of my important sites were showing as vulnerable (and they were behind an F5 ASM) -- ends up that F5 version wasn't vulnerable anyways. Scanned it with Nexpose and all was good.

So take the chrome extension with a grain of salt, either you're running OpenSSL < 1.0.1g and vulnerable or you aren't, it won't change between page flips.

Appreciate the heads up though, never know when I'll be asleep at the switch and need a slap.

[GreenGoo]

Nice job Fishpants! Although OO is a fairly low risk site in general =D

[Pyperkub]

The tools being used are being saturated with requests -- when this first broke and some free online tools were available, some of my important sites were showing as vulnerable (and they were behind an F5 ASM) -- ends up that F5 version wasn't vulnerable anyways. Scanned it with Nexpose and all was good.

So take the chrome extension with a grain of salt, either you're running OpenSSL < 1.0.1g and vulnerable or you aren't, it won't change between page flips.

Appreciate the heads up though, never know when I'll be asleep at the switch and need a slap.

Don't forget that versions of OpenSSL prior to 1.0.1 are also not susceptible to heartbleed. We have a program used to dump data to a section of ice.gov, and for some reason, it would only work with certificates exported with a version of openssl 0.9.8.