Changes between Version 4 and Version 11 of heartbleed


Ignore:
Timestamp:
(multiple changes)
Author:
(multiple changes)
Comment:
(multiple changes)

Legend:

Unmodified
Added
Removed
Modified

  • heartbleed

    v4 v11  
    66A serious security vulnerability has been discovered in the most popular cryptography software on the Internet, affecting 2/3 of all web sites, including many May First/People Link members.
    77
    8 MF/PL's Support, Infrastructure and Data Sovereignty Team has been working hard to address the issue. Within 24 hours of the public announcement, we're proud to report that all servers have been upgraded.
     8MF/PL's Support, Infrastructure and Data Sovereignty Team has been working hard to address the issue. Within 24 hours of the public announcement, we're proud to report that all servers have been upgraded (a handful of servers did not have their web server restarted until the morning of April 9).
    99
    1010Unfortunately, upgrading the server software is not enough. We strongly encourage all members to change the passwords you have used on May First/People Link servers.
     
    1414During the period in which our servers were vulnerable it was possible for someone who can access your traffic to compromise the key that encrypts that traffic. If your key was compromised, then fixing the bug is not enough: you'll need to generate a new key and get a new x509 certificate.
    1515
     16''' Action Summary '''
     17
     18What should I do?
     19
     20 * All May First/People Link members are encouraged to change your passwords by going to this web site: https://members.mayfirst.org/changepass
     21 * Please be careful of phishing attacks! Please do not enter your password into any site that does not have the lock icon (or starts with https) and ends with mayfirst.org. You may receive emails over the next few weeks warning about this problem and encouraging you to enter your password on illegitimate web sites. Please carefully check the address of any site asking for your mayfirst.org password.
     22 * If you have a web site that uses https and you have purchased a certificate, please [wiki:faq/security/get-certificate generate a new key and obtain a new certificate].
    1623'''Questions'''
    1724
     
    2633''Do I have to generate a new key?''
    2734
    28 No. It's your choice and you may decide that it's not worth the effort. To compromise your site, an attacker must have access to your Internet traffic and must of taken advantage of this bug either in the last 24 hours or prior to the public release of the bug. For most sites, that's unlikely. On the other hand, we now have concrete information about massive spying operations by the National Security Agency, including huge databases of recorded Internet traffic.
     35We strongly recommend that you do. However, it's your choice and you may decide that it's not worth the effort. The vulnerability allowed an attacker to read the memory used by the web server. If nobody attempted to exploit the server your web site is running on during the period in which the server was vulnerable, then there is no reason to generate a new key or be worried about compromised data. On the other hand, if someone attempted to exploit ''any'' web site on your server (even if it's not your own web site), then your data may have been compromised. It is trivial to write a simple program to scan web sites for this vulnerability and it's likely that some people knew about the problem prior to it becoming public.
    2936
    3037'''Additional Information and Notes'''
    3138
    32 According to the web site [http://heartbleed.org hearbleed], openssl is the most popular encryption library. And, arstechnica estimates [http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ it is used by 2/3 or all web sites].
     39According to the web site [http://heartbleed.org heartbleed], openssl is the most popular encryption library. And, Arstechnica estimates [http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ it is used by 2/3 or all web sites].
    3340
     41For still more info:
     42
     43* [http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html Accessible 'Everything you need to know' blog post]
     44* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 Debian's bug report and resolution]
     45* [http://filippo.io/Heartbleed/ Testing tool]