Page Index Toggle Pages: [1] 2 
Topic Tools
Hot Topic (More than 10 Replies) Lets talk Heartbleed - (or don't press the PANIC button yet) (Read 1,560 times)
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,811
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #15 - Apr 17th, 2014 at 1:00am
Post Tools
Asketh -

And FaceBook provideth:

Wink
  

10256544_692629594113817_1373418854124751821_n.jpg (Attachment deleted)

I find your lack of faith disturbing.
Back to top
IP Logged
 
George Maschke
Full Member
***
Offline



Posts: 315
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #14 - Apr 15th, 2014 at 12:52pm
Post Tools
Oh, one important point: if when making sure your server isn't affected by the Heartbleed vulnerability, also check to see whether your HTTPS-enabled site supports Perfect Forward Secrecy. This feature helps to mitigate the harm if a server key is compromised. Qualys SSL Labs has a page that will test your server and report, among other things, on its support for Perfect Forward Secrecy:

https://www.ssllabs.com/ssltest/
  

Back to top
IP Logged
 
George Maschke
Full Member
***
Offline



Posts: 315
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #13 - Apr 15th, 2014 at 12:48pm
Post Tools
My YaBB forum was afflicted by the Heartbleed vulnerability, or, more correctly speaking the server that hosts it was. Getting it fixed involved first ensuring that our webhosting company update the server and issue a new SSL cert based on a newly generated public/secret key pair, and then replacing my site's SSL cert with a new one based on a newly generated key pair. I've posted about it here:

https://antipolygraph.org/cgi-bin/forums/YaBB.pl?num=1396944982
  

Back to top
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,811
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #12 - Apr 13th, 2014 at 8:54pm
Post Tools
Here's a good explanation posted elsewhere by a geek 'friend of yabb';

Quote:
This is (by FAR) the best, easy to understand description of the heartbleed bug I have seen:

The original(which has a mild joke if you hover your mouse over it)

Wink
  

heartbleed_explanation.png (Attachment deleted)

I find your lack of faith disturbing.
Back to top
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,587
Location: UK:Scotland/livingston

None
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #11 - Apr 13th, 2014 at 12:55am
Post Tools
------ wrote on Apr 10th, 2014 at 6:55pm:
I remember a person bringing some files to me on what he called his harddrive. It was actually a 3.5" floppy

Huh Smiley
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,600
Location: Los Angeles

YaBB 2.4
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #10 - Apr 11th, 2014 at 12:33am
Post Tools
  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 527
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #9 - Apr 10th, 2014 at 6:55pm
Post Tools
xnoddyx wrote on Apr 10th, 2014 at 6:44pm:
------ wrote on Apr 10th, 2014 at 1:58pm:
On another forum I'm on there are people insisting this is a virus (not a bug), there is no convincing them.Anyway thanks for the information

Huh sounds like some people i know in real life that say I am running out of memory when there HDDs are almost full  Roll Eyes



I remember a person bringing some files to me on what he called his harddrive. It was actually a 3.5" floppy
  
Back to top
 
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,587
Location: UK:Scotland/livingston

None
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #8 - Apr 10th, 2014 at 6:44pm
Post Tools
------ wrote on Apr 10th, 2014 at 1:58pm:
On another forum I'm on there are people insisting this is a virus (not a bug), there is no convincing them.Anyway thanks for the information

Huh sounds like some people i know in real life that say I am running out of memory when there HDDs are almost full  Roll Eyes
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 527
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #7 - Apr 10th, 2014 at 2:59pm
Post Tools
That sums it up eloquently.  Grin
  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,811
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #6 - Apr 10th, 2014 at 2:19pm
Post Tools
You can only lead a horse to water, you can't send them to Yale, Harvard, Stanford, or MIT and expect to get anything back more than a horse with additional miles on it.  Wink

The general public OR newscasters speculating on this is like when those folks advance theories on the existence/non-existence of God, Aliens, how the universe may have come from a quantum fluctuation, or FTL travel.

On another forum, folks were noting what was said on Facebook. What does that say about reliability of information?  Its only too bad Facebook isn't printed, we could end the cutting of trees for toilet paper manufacture.  Cheesy

Roll Eyes
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 527
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #5 - Apr 10th, 2014 at 1:58pm
Post Tools
On another forum I'm on there are people insisting this is a virus (not a bug), there is no convincing them.

Anyway thanks for the information
  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,811
Location: Land of the Blazing Sun!

YaBB 2.6.0
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #4 - Apr 10th, 2014 at 7:17am
Post Tools
After I posted the same advice on another forum I got a question
Quote:
I saw stuff on facebook telling people to change their passwords. I get the feeling you are saying this isn't necessary?


Not quite.

What I am saying is "only the 'service provider' can assess their risk".  I.E. Facebook, Yahoo, AWS (Amazon Web Services 'Cloud') etc. ALL these folks have custom versions of server software (they 'roll their own') - So. IF they were vulnerable, they need to recompile and then bring the 'patched' systems online.

Not all 'systems' are exploitable even if they are vulnerable. The service providers will notify users if they need to make changes. So if you use say "Yahoo Business Mail" (as I do) - you can see what is up by checking the status page
http://www.ysmallbizstatus.com

These systems can be patched without user intervention.  Once the system software is patched, a replacement SSL certificate is signed and put 'in-line' and the software says (effectively) 'discard any previous keypairs and get a new keypair'.  This is the 'important issue'.

Separately, some user credentials (user id ==> account information) may have been scraped from server memory. If the service provider believes that may have happened, they can force an account change when you log on (just like if I changed your password here).  They have to build or put in place a 're-authentication' process.  Most of these companies already have such tools, they just have to turn them on.  Think 'secret questions' or text to mobile code passing (most providers routinely use these tools for 'broken passwords'). In our case, I might send you an e-mail, post a PM elsewhere or do a FB message to you.

Of course, periodically changing passwords is never a bad idea.

I hope I have clarified things a bit.

Cool
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Dandello
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 2,258
Location: Earth

YaBB 2.6.0
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #3 - Apr 9th, 2014 at 10:08pm
Post Tools
So, if you're running SSL - go buy a 'real' certificate? (Most mail clients have hissy fits when they see SSL and self-generated certificates anyway... Roll Eyes )
  

If you only have one solution to a problem you're not trying hard enough!
Back to top
WWW  
IP Logged
 
------
Senior Member
Beta Testers
****
Offline



Posts: 527
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #2 - Apr 9th, 2014 at 8:01pm
Post Tools
Thanks for the heads up.
  
Back to top
 
IP Logged
 
Elrick.
YaBB Moderators
Beta Testers
***
Offline



Posts: 163
Location: Edge of the Abyss

YaBB 2.6.0
Re: Lets talk Heartbleed - (or don't press the PANIC button yet)
Reply #1 - Apr 9th, 2014 at 6:48pm
Post Tools
Thanks Jon for the informative lesson and interesting eye-opener links. We’ve been exposing our a$$ets via our hosts!!, Presumably with cPanel upgrade PHP 5.4.27 that some of the hosts have conducted recently should have taken care of these vulnerabilities?. Just changes the error log format on cPanel and will need to learn the translation of [pid 578268] and AH01797, whatever they might be!!.

~*~
  

<div class=
Back to top
 
IP Logged
 
Page Index Toggle Pages: [1] 2 
Topic Tools
Bookmarks: del.icio.us Digg Facebook Google Google+ Linked in reddit StumbleUpon Twitter Yahoo
 
  « Board Index ‹ Board  ^Top