Jump to content
Sign in to follow this  
DanFoxDavies

OpenSSL 'Heartbleed' Bug - Request to forum admin/owners

Recommended Posts

Hello,
As outlined here: http://heartbleed.com/ (yes, it's so bad they registered a TLD for it)

There is a very serious vulnerability in OpenSSL which allows circumvention of secure password authentication or any other encryption reliant on OpenSSL by taking advantage of how RAM is read. Please, if this site uses OpenSSL in anything at all, update to a version >=1.0.1g (most systems) or >=1.0.1e(with patch)(for Fedora and other RPM based systems).

Please also inform the forum users when this update takes place and that it will require new passwords, reboot the affected servers (yes it's necessary to ensure the fix is fully applied) and reset all passwords.

Finally, my apologies if this has already been dealt with or mentioned, I have checked over the threads that have been posted in the forum admin and requests sections within the relevant timeframe and can't find anything else to do with it.

 

Share this post


Link to post
Share on other sites
Kanibal   

Actually, it's nothing to do with us. FurMorphed is not hosted on a dedicated system, we're on a rented piece of webspace which is shared by dozens of other websites and it's down to our server operators, Hostgator.com, to dish out the update.

 

So you can rest assured the update was applied to our servers within minutes of it being released as a patch but you shouldn't be worrying anyway because if you check your URL bar and search our website in SSL checking tools (such as http://heartbleed.hostgator.com/ ) you'll see we don't offer any traffic through SSL so the vulnerability never applied to us.

 

I appreciate your concern though and realise that because of how much I've been up to lately I don't think I posted anything outside of twitter, so it could have been more transparent.

Share this post


Link to post
Share on other sites

Thanks for clearing that up, then :-) - nevertheless, passwords ought to be updated if they bear even a resemblance to passwords used on systems which have been compromised by this, just in case... (take the opportunity to switch to a more secure password).

Share this post


Link to post
Share on other sites
Kanibal   

Well, agreed - passwords all over the internet need to be updated once servers have been patched just in case though realistically you shouldn't use the same password twice anywhere - similarities are problematic.

The best bet is to always make your recovery email secure because most of the time any suspicious activity gets sent there.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×