wiki:heartbleed

Version 6 (modified by Jamie McClelland, 7 years ago) (diff)

--

Languages:

Heart Bleed Vulnerability

Dear May First/People Link Members,

A serious security vulnerability has been discovered in the most popular cryptography software on the Internet, affecting 2/3 of all web sites, including many May First/People Link members.

MF/PL's Support, Infrastructure and Data Sovereignty Team has been working hard to address the issue. Within 24 hours of the public announcement, we're proud to report that all servers have been upgraded.

Unfortunately, upgrading the server software is not enough. We strongly encourage all members to change the passwords you have used on May First/People Link servers.

In addition, if you are running a web site that uses https and you have created your own "ssl" key and purchased your own certificate, we will need your additional help to fully protect all services. Here's why:

During the period in which our servers were vulnerable it was possible for someone who can access your traffic to compromise the key that encrypts that traffic. If your key was compromised, then fixing the bug is not enough: you'll need to generate a new key and get a new x509 certificate.

Questions

How do I generate a new key?

Please visit our wiki page on generating keys and obtaining certificates.

How long were our servers vulnerable?

The vulnerability has been in existence for 2 years, however, most of our servers were vulnerable for a much shorter period. Seventy-six MF/PL servers were affected by this bug. A handful of them have been vulnerable for any where from 2 months to a year, about half have been vulnerable for 5 weeks, and the other half for less than a week.

Do I have to generate a new key?

No. It's your choice and you may decide that it's not worth the effort. The vulnerability allowed an attacker to read the memory used by the web server. If nobody attempted to exploit the server your web site is running on during the period in which the server was vulnerable, then there is no reason to generate a new key or be worried about compromised data. On the other hand, if someone attempted to exploit any web site on your server (even if it's not your own web site), then your data may have been compromised.

Additional Information and Notes

According to the web site hearbleed, openssl is the most popular encryption library. And, arstechnica estimates it is used by 2/3 or all web sites.

For still more info: