FORUMS

heartbleed bug

133 posts
Thanks Meter: 22
 
By dstarfire, Senior Member on 8th April 2014, 08:05 PM
Post Reply Email Thread
xda-developers.com is listed as one of the sites affected by the heartbleed bug, but testing tool now shows no vulnerability. A quick search shows no

Why aren't you bragging about patching this bug and how awesome you are at protecting our data?

At the very least, a notice about what's being done to protect xda and how it affects users would be much appreciated.
The Following 4 Users Say Thank You to dstarfire For This Useful Post: [ View ] Gift dstarfire Ad-Free
9th April 2014, 02:17 PM |#2  
bitpushr's Avatar
XDA:Administrator
Thanks Meter: 2,892
 
More
Quote:
Originally Posted by dstarfire

xda-developers.com is listed as one of the sites affected by the heartbleed bug, but testing tool now shows no vulnerability. A quick search shows no

Why aren't you bragging about patching this bug and how awesome you are at protecting our data?

At the very least, a notice about what's being done to protect xda and how it affects users would be much appreciated.

I'm curious what site it was listed on?

Just for anyone who is interested...

As soon as the severity of the flaw was clear, we began updating our machines. Some services use pre-built packages and others use custom-compiled software (using the flawed openssl version). We updated all of our services within 30 minutes or so.

The forum.xda-developers.com hostname uses a 3rd party service who was still vulnerable to heartbeat after we patched our internal services. We opened a ticket with them - I'm sure by that point they were aware of the issue and a fix was already in the works. About an hour after that they had patched their services.

This is definitely one of the worst security flaws in the history of the internet - you pretty much have to assume that any communications thought protected by https have been compromised unless there were other protections in addition to SSL.
9th April 2014, 03:29 PM |#4  
bitpushr's Avatar
XDA:Administrator
Thanks Meter: 2,892
 
More
Quote:
Originally Posted by Isriam

https://github.com/musalbas/heartble...er/top1000.txt

please patch asap

That list is old... see my statement above.
9th April 2014, 03:31 PM |#5  
Senior Member
Thanks Meter: 120
 
More
thats fine, but just so you know that link is posted on front page msn.com under heartbleed headlines.
9th April 2014, 03:59 PM |#6  
bitpushr's Avatar
XDA:Administrator
Thanks Meter: 2,892
 
More
Quote:
Originally Posted by Isriam

thats fine, but just so you know that link is posted on front page msn.com under heartbleed headlines.

Sure, but not too much I can do about old information.
9th April 2014, 04:42 PM |#7  
dstarfire's Avatar
OP Senior Member
Thanks Meter: 22
 
More
The link loriam posted is the one I found xda mentioned on. However, before I posted, I also checked a live testing website that showed xda as safe.

If anybody is interested, the url for that site is filippo.io/Heartbleed/
9th April 2014, 06:03 PM |#8  
Senior Member
Indy
Thanks Meter: 49
 
More
Unless there is updated information that I was unable to see, your SSL certificate is showing as being from 7 months ago. Shouldn't it be updated since that was part of the information that was vulnerable to Heartbleed?
9th April 2014, 06:08 PM |#9  
Member
Flag Chicago
Thanks Meter: 3
 
More
Are there any plans to replace and revoke the SSL certificates that were on the vulnerable servers? Since there are no logs it is impossible to know if anyone was able to obtain the private key for these certificates, and until revoked xda remains vulnerable to stealth MITM attacks.
9th April 2014, 08:13 PM |#10  
bitpushr's Avatar
XDA:Administrator
Thanks Meter: 2,892
 
More
Quote:
Originally Posted by wto605

Are there any plans to replace and revoke the SSL certificates that were on the vulnerable servers? Since there are no logs it is impossible to know if anyone was able to obtain the private key for these certificates, and until revoked xda remains vulnerable to stealth MITM attacks.

New certs are in process... the CA's are a bit backlogged.

We are vulnerable to stealth MITM attacks only if someone has recorder/intercepted our traffic, and also if someone was able to decode our private key. Of which both are unlikely (but possible). So while we do work to replace our certs, the priority is "hey, we are doing this" and not "hey, let's shut down our ssl services."
The Following 2 Users Say Thank You to bitpushr For This Useful Post: [ View ] Gift bitpushr Ad-Free
9th April 2014, 08:39 PM |#11  
Member
Flag Chicago
Thanks Meter: 3
 
More
Thumbs up
Quote:
Originally Posted by bitpushr

New certs are in process... the CA's are a bit backlogged.

We are vulnerable to stealth MITM attacks only if someone has recorder/intercepted our traffic, and also if someone was able to decode our private key. Of which both are unlikely (but possible). So while we do work to replace our certs, the priority is "hey, we are doing this" and not "hey, let's shut down our ssl services."

I totally agree (and believe me I'm hating this crap as much as I'm sure you guys are)... I just wanted to make sure it was in progress as I'm waiting to change my password until then.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes