New SSL Heartbleed Bug A Serious Threat To Server Security!

Discussion in 'Security and Legal' started by s.molinari, Apr 9, 2014.

  1. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
  2. BamaStangGuy

    BamaStangGuy Administrator

    Joined:
    Jun 23, 2009
    Messages:
    769
    Likes Received:
    549
    Location:
    Huntsville, AL
    If you weren't using SSL you were better off had someone known about this exploit.
     
  3. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    Um, I am not quite sure what you mean. OpenSSL is a standard part of most Linux OSes and so is automatically installed and running as a service and on an open port (443). So, even if you weren't using SSL (for https connectivity, as I think you are inferring), then your server is most likely still vulnerable. I haven't been able to find an answer on that and my knowledge isn't good enough to be sure.

    This is a nice blog about the issue too. You'll notice, there is no mention of "if you don't use https, you are ok."

    Even worse, this bug is over 2 years old. So, rotate certs and change all passwords, if you want to be really safe.

    Scott
     
  4. cpvr

    cpvr Regular Member

    Joined:
    Aug 14, 2009
    Messages:
    3,219
    Likes Received:
    823
    Liquidweb, who is my hosting provider sent out an email to all customers saying that they patched the security flaw and rebooted our servers.
     
  5. BamaStangGuy

    BamaStangGuy Administrator

    Joined:
    Jun 23, 2009
    Messages:
    769
    Likes Received:
    549
    Location:
    Huntsville, AL
    http://xenforo.com/community/threads/openssl-1-0-1g-available-on-axivo-repository.71899/#post-748846
     
  6. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    Yes, but how many people explicitly shut down the SSL service on their server? (Not using https in your website doesn't mean the same. Still not sure we are talking about the same thing.:)) I'd venture to say, practically nobody.

    Edit: then again, if you weren't serving any transactions with SSL, then there would be nothing to exploit.

    Scott
     
    Last edited: Apr 11, 2014

Share This Page