Addressing Internet "Heartbleed" Emergency

Discussion in 'Forum Announcements' started by Mike, Apr 9, 2014.

  1. Mike

    Mike Windows Forum Admin
    Staff Member Premium Supporter

    Joined:
    Jul 22, 2005
    Messages:
    8,488
    Likes Received:
    783
    This website is not affected by the exploit in any way.

    Further information:

    Last night news about a remote OpenSSL bug was disclosed on http://heartbleed.com/ which detailed out an exploit in the OpenSSL system library that handles HTTPS connections on your server. This bug impacts CentOS 6.x servers and any server with Litespeed prior to 4.2.9. A fix was issued by the CentOS maintainers which patched this issue last night. Litespeed has also patched this with version 4.2.9. All CentOS 6 servers that do not have any added third party yum repositories, along with cPanel/WHM updates turned on, should have auto updated over the course of last night and this morning. We are now pushing out the Litespeed upgrade to all affected customers. This means that your server should already be patched with the fix that prevents this issue moving forward. Our support team has been working hard today to ensure that all CentOS 6 servers have been updated with this patch.

    Because WindowsForum.com does not actively use OpenSSL for any security-required data or password related transactions, we confirm no harm has been done by the "Heartbleed" exploit. However, 2/3rd of the Internet is currently in an emergency situation, since most online stores are using some form of SSL exploited here. We are not affected by the Heartbleed Internet disaster.

    This guy simplifies exactly what is going on over the Internet:


    For even further information: http://lmgtfy.com/?q=Heartbleed

    http://filippo.io/Heartbleed/#windowsforum.com:443
     
    #1 Mike, Apr 9, 2014
    Last edited: Apr 9, 2014
    kemical and whoosh like this.
  2. Ralph Bromley

    Ralph Bromley Honorable Member

    Joined:
    Jun 1, 2012
    Messages:
    571
    Likes Received:
    45
    What gets me is that some are calling this a big folly for the open source world the thing is exploits like this are all over the place in both open and closed source software.
    They just become big when developers dont patch in time or people dont do what they are supposed to do.
    The issue with openSSL is its widespread use, and how many dont take action to patch it.
    openSSL is underfunded and so bugs are going to come without proper developers, want to improve things become a developer.
    The code is wide open.
     
  3. Mike

    Mike Windows Forum Admin
    Staff Member Premium Supporter

    Joined:
    Jul 22, 2005
    Messages:
    8,488
    Likes Received:
    783
    More important to me: why aren't affected sites reissuing SSL keys or forcing mandatory password changes. When will firmware be made available for routers, switches, etc. Corporations take advantage of open source by integrating it into their proprietary hardware and software, but even now profits are being put ahead of possible privacy and security intrusions.


    Sent from my Nexus 5 using WindowsForum mobile app
     
  4. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,532
    Likes Received:
    314
    The difference is that Microsoft can perpetually be sued for creating a security stuff up but open source software is "use at your own risk"… I know, sue Microsoft = "good luck with that" but the perception is still a valid one. The internet works because everyone agrees to use it but If enough business suits panic then you could well see bans placed on centos servers resulting from media witch-hunts… bearing in mind that the average person in charge of a company knows little to jack about their computer systems running it.

    What if someone did get some servers id key… what if they stuffed about with it as a gag… what if?

    Did the roads and traffic authority issue you a speeding fine in the last two years?

    Did the hospital confirm that you don't have aids before you got married last year?

    Do you remember the Y2k bug… the actual damage these things can do get ignored when it's a slow news week and all kinds of experts pop out of the woodwork with scenarios designed to sell newspapers.
     
  5. Ralph Bromley

    Ralph Bromley Honorable Member

    Joined:
    Jun 1, 2012
    Messages:
    571
    Likes Received:
    45
    Well open source is not made from a company (most of the time) openssl certainly wasnt company made to be sure.
     

Share This Page

Loading...