Sonic.net

For Dane & the Sonic.net staff:

How is Sonic.net impacted by, and what are you doing to fix, the OpenSSL Heartbleed Bug (http://heartbleed.com)?


Thanks,
Peter

Peter, check out the most recent update to the MOTD/status blog. The next few days are going to be interesting as the community needs to figure out how to handle the bulk revocation of so many certificates or account for the fact that the current revocation system is grossly inadequate. As for direct impact to or systems and users, beyond some additional work for us internally I can't really comment. We have replaced or are working to replace all of our certificates but are not recommending that everyone change their password. (Except to say, when is the last time you changed yours?)

kgc wrote:We have replaced or are working to replace all of our certificates but are not recommending that everyone change their password.

How long was it between when CVE-2014-0160 was announced and you patched openssl? Anyone logging in during those times would potentially have their password stolen. I'm recommending to any of my F&F that logged in on the 7th to change their passwords.

Alan, I should have set "yet" -- I think at this point it is a pretty good idea to change all passwords anywhere that matters (banks, isp, mail.)

I see the webmail cert has been updated, but what about the IMAP server? Is it not affected, or have you not yet gotten around to it?

We're still working on it, we should have a complete list published soon.

It's my understanding that you should not rush out and change all your bank passwords, etc until you confident your Bank, etc has fixed their websites. Your password may have not been hacked and with the announcement of the security problem there are now more "evil-doers" aware of it and are now trying to exploit it.

Is this true?

Sorry, I should have added, you should not use your Bank password until your sure they have fixed the problem.

tom wrote:It's my understanding that you should not rush out and change all your bank passwords, etc until you confident your Bank, etc has fixed their websites. Your password may have not been hacked and with the announcement of the security problem there are now more "evil-doers" aware of it and are now trying to exploit it.

Is this true?

Yes, it's true you should absolutely not change your password if the site hasn't patched yet. Check the site here first:
http://filippo.io/Heartbleed/

If your bank hadn't fixed this by now, I'd suggest you get a new bank.