Addressing Internet "Heartbleed" Emergency

Mike

Windows Forum Admin
Staff member
Premium Supporter
#1
This website is not affected by the exploit in any way.

Further information:

Last night news about a remote OpenSSL bug was disclosed on http://heartbleed.com/ which detailed out an exploit in the OpenSSL system library that handles HTTPS connections on your server. This bug impacts CentOS 6.x servers and any server with Litespeed prior to 4.2.9. A fix was issued by the CentOS maintainers which patched this issue last night. Litespeed has also patched this with version 4.2.9. All CentOS 6 servers that do not have any added third party yum repositories, along with cPanel/WHM updates turned on, should have auto updated over the course of last night and this morning. We are now pushing out the Litespeed upgrade to all affected customers. This means that your server should already be patched with the fix that prevents this issue moving forward. Our support team has been working hard today to ensure that all CentOS 6 servers have been updated with this patch.

Because WindowsForum.com does not actively use OpenSSL for any security-required data or password related transactions, we confirm no harm has been done by the "Heartbleed" exploit. However, 2/3rd of the Internet is currently in an emergency situation, since most online stores are using some form of SSL exploited here. We are not affected by the Heartbleed Internet disaster.

This guy simplifies exactly what is going on over the Internet:

For even further information: http://lmgtfy.com/?q=Heartbleed

http://filippo.io/Heartbleed/#windowsforum.com:443
 


Last edited:

Ralph Bromley

Honorable Member
#2
What gets me is that some are calling this a big folly for the open source world the thing is exploits like this are all over the place in both open and closed source software.
They just become big when developers dont patch in time or people dont do what they are supposed to do.
The issue with openSSL is its widespread use, and how many dont take action to patch it.
openSSL is underfunded and so bugs are going to come without proper developers, want to improve things become a developer.
The code is wide open.
 


Mike

Windows Forum Admin
Staff member
Premium Supporter
#3
More important to me: why aren't affected sites reissuing SSL keys or forcing mandatory password changes. When will firmware be made available for routers, switches, etc. Corporations take advantage of open source by integrating it into their proprietary hardware and software, but even now profits are being put ahead of possible privacy and security intrusions.

What gets me is that some are calling this a big folly for the open source world the thing is exploits like this are all over the place in both open and closed source software.
They just become big when developers dont patch in time or people dont do what they are supposed to do.
The issue with openSSL is its widespread use, and how many dont take action to patch it.
openSSL is underfunded and so bugs are going to come without proper developers, want to improve things become a developer.
The code is wide open.

Sent from my Nexus 5 using WindowsForum mobile app
 


ussnorway

Windows Forum Team
Staff member
Premium Supporter
#4
The difference is that Microsoft can perpetually be sued for creating a security stuff up but open source software is "use at your own risk"… I know, sue Microsoft = "good luck with that" but the perception is still a valid one. The internet works because everyone agrees to use it but If enough business suits panic then you could well see bans placed on centos servers resulting from media witch-hunts… bearing in mind that the average person in charge of a company knows little to jack about their computer systems running it.

What if someone did get some servers id key… what if they stuffed about with it as a gag… what if?

Did the roads and traffic authority issue you a speeding fine in the last two years?

Did the hospital confirm that you don't have aids before you got married last year?

Do you remember the Y2k bug… the actual damage these things can do get ignored when it's a slow news week and all kinds of experts pop out of the woodwork with scenarios designed to sell newspapers.
 


Ralph Bromley

Honorable Member
#5
Well open source is not made from a company (most of the time) openssl certainly wasnt company made to be sure.
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.