I don’t know if any of you follow the Security news, but there’s a major
issue doing the rounds at the moment in the OpenSSL library (used notably
in HTTPS, but also in all sorts of other unexpected places, such as VPN
software, Radius servers and Instant Messengers). It has been vulnerable
since ~2011 when OpenSSL 1.0.1 was released. See http://heartbleed.com
If you have an HTTPS based site, you might want to check against your
server using this tool: http://filippo.io/Heartbleed/
OpenVPN is affected, and under certain circumstances, FreeRadius is too.
Some routers, switches, VPN terminators and firewalls may be affected -
either via their web interfaces, or by using insecure libraries for
internal processes. You should subscribe to at least any security mailing
lists for any critical software and infrastructure you’re using for your
business or social sites (which is how I started hearing about this lot).
Regards,
Jon “The Nice Guy” Spriggs
If you have an HTTPS based site, you might want to check against your server
using this tool: http://filippo.io/Heartbleed/
That’s a useful link. I’ve updated my server accordingly. It appears that you not only need to install te patch but also regenerate the SSL certificates.
Hi Jon
Have already checked, hacman’s site doesn’t serve content via https so
currently is not affected.
Kat
If you have an HTTPS based site, you might want to check against your
server
using this tool: http://filippo.io/Heartbleed/
That’s a useful link. I’ve updated my server accordingly. It appears
that you not only need to install te patch but also regenerate the SSL
certificates.
… and… once and only once you’ve both patched the server and changed
the certs change any credentials (passwords etc.) you may have sent over
that ‘secured’ link 
Hi Jon
Have already checked, hacman’s site doesn’t serve content via https so
currently is not affected.
Already checked too. Automatic security updates beat me to installing the fixed versions of openssl. Note, it’s not just HTTPS, it’s any service that does TLS and uses OpenSSL. The server previously did mail and TLS was probably used but only for the purposes of opportunistic encryption. I’m pretty sure Exim is linked with GnuTLS on Debian, so it’s probably a complete non-issue.
Impact: snooping of emails that are often sent in the clear anyway. If TLS was required for mail submission (it wasn’t set up), SMTP auth credentials could have been leaked.
It’s not much of an issue, but if the key/certificate would ever be used again it should be regenerated. Unless beaten to it, I’ll just remove the currently unused key and certificate to prevent reuse, if it exists at all (can’t check right now).
On a vaguely related note, I work for a security testing company, Westpoint1. We frequently (3-5 times a week, sometimes more) run vulnerability scans against our own systems and personally owned systems, just to test updates to the test set. I can include the HACMan server if you like. There’s no cost, but you’ll also get no reports, but then I’ll either deal with issues or let you know about them.
Shall I do this? I’m sure Bitfolk are okay with it, but it would be good to let them know.
Simon
If you have an HTTPS based site, you might want to check against your
server
using this tool: http://filippo.io/Heartbleed/
That’s a useful link. I’ve updated my server accordingly. It appears
that you not only need to install te patch but also regenerate the SSL
certificates.
You need to consider any data that may have been processed by any service using TLS and openssl. This can, for example, include login credentials, not just the certificate and private key. If you had a login to your site, you should reset passwords.
You also need to ensure you restart any service using openssl. The first Debian update didn’t do this for all services. If unsure, just restart the system.
Simon
