wiki:heartbleed

Version 1 (modified by Jamie McClelland, 10 years ago) (diff)

--

Heart Bleed Vulnerability

Dear May First/People Link Members,

A serious security vulnerability has been discovered in the most popular cryptography software on the Internet, affecting 2/3 of all web sites[0], including many May First/People Link members.

MF/PL's Support, Infrastructure and Data Sovereignty Team has been working hard to address the issue. Within 24 hours of the public announcement, we're proud to report that all servers have been upgraded.

Unfortunately, upgrading the server software is not enough. If you are running a web site that uses https, we will need your help to fully protect all services. Here's why:

During the period in which our servers were vulnerable it was possible for someone who can access your traffic to compromise the key that encrypts that traffic. If your key was compromised, then fixing the bug is not enough: you'll need to generate a new key and get a new x509 certificate.

Questions:

How do I generate a new key?

Please visit our wiki page on generating keys and obtaining certificates.

How long were our servers vulnerable?

The vulnerability has been in existence for 2 years, however, most of our servers were vulnerable for a much shorter period. Seventy-six MF/PL servers were affected by this bug. A handful of them have been vulnerable for any where from 2 months to a year, about half have been vulnerable for 5 weeks, and the other half for less than a week.

Do I have to generate a new key?

No. It's your choice and you may decide that it's not worth the effort. To compromise your site, an attacker must have access to your Internet traffic and must of taken advantage of this bug either in the last 24 hours or prior to the public release of the bug. For most sites, that's unlikely. On the other hand, we now have concrete information about massive spying operations by the National Security Agency, including huge databases of recorded Internet traffic.

Notes:

  1. http://heartbleed.org calls it the most popular encryption library. And, arstechnica estimates it is used by 2/3 or all web sites.