Skip to content

Dane - OpenSSL Heartbleed Bug?

General discussions and other topics.
13 posts Page 1 of 2
Post a reply

Dane - OpenSSL Heartbleed Bug?

by pdessart » Tue Apr 08, 2014 5:55 pm
For Dane & the Sonic.net staff:

How is Sonic.net impacted by, and what are you doing to fix, the OpenSSL Heartbleed Bug (http://heartbleed.com)?


Thanks,
Peter
by kgc » Tue Apr 08, 2014 6:55 pm
Peter, check out the most recent update to the MOTD/status blog. The next few days are going to be interesting as the community needs to figure out how to handle the bulk revocation of so many certificates or account for the fact that the current revocation system is grossly inadequate. As for direct impact to or systems and users, beyond some additional work for us internally I can't really comment. We have replaced or are working to replace all of our certificates but are not recommending that everyone change their password. (Except to say, when is the last time you changed yours?)
Kelsey Cummings
System Architect, Sonic.net, Inc.
by aw » Wed Apr 09, 2014 9:15 am
kgc wrote:We have replaced or are working to replace all of our certificates but are not recommending that everyone change their password.
How long was it between when CVE-2014-0160 was announced and you patched openssl? Anyone logging in during those times would potentially have their password stolen. I'm recommending to any of my F&F that logged in on the 7th to change their passwords.
by kgc » Wed Apr 09, 2014 11:20 am
Alan, I should have set "yet" -- I think at this point it is a pretty good idea to change all passwords anywhere that matters (banks, isp, mail.)
Kelsey Cummings
System Architect, Sonic.net, Inc.
by darrylo » Wed Apr 09, 2014 3:26 pm
I see the webmail cert has been updated, but what about the IMAP server? Is it not affected, or have you not yet gotten around to it?
by kgc » Wed Apr 09, 2014 3:29 pm
We're still working on it, we should have a complete list published soon.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by tom » Thu Apr 10, 2014 3:04 pm
It's my understanding that you should not rush out and change all your bank passwords, etc until you confident your Bank, etc has fixed their websites. Your password may have not been hacked and with the announcement of the security problem there are now more "evil-doers" aware of it and are now trying to exploit it.

Is this true?
by tom » Thu Apr 10, 2014 3:11 pm
Sorry, I should have added, you should not use your Bank password until your sure they have fixed the problem.
tom wrote:It's my understanding that you should not rush out and change all your bank passwords, etc until you confident your Bank, etc has fixed their websites. Your password may have not been hacked and with the announcement of the security problem there are now more "evil-doers" aware of it and are now trying to exploit it.

Is this true?
by aw » Thu Apr 10, 2014 4:14 pm
Yes, it's true you should absolutely not change your password if the site hasn't patched yet. Check the site here first:
http://filippo.io/Heartbleed/
by kgc » Thu Apr 10, 2014 7:15 pm
If your bank hadn't fixed this by now, I'd suggest you get a new bank.
Kelsey Cummings
System Architect, Sonic.net, Inc.
13 posts Page 1 of 2

Return to “General”