openssl has been identified as including a fatal flaw - see here: http://heartbleed.com/
so the https function of sites needs to be reset - and all passwords for all users also reset.
is there a more effective way of doing this in elgg, other than sending a direct massmail request to all users? is there a plugin to force all users to change passwords?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
@Ural PFS should protect against this bug. see this quote on http://heartbleed.com/
Use of Perfect Forward Secrecy (PFS), which is unfortunately rare but powerful, should protect past communications from retrospective decryption.
It will not if the hacker was able to get the keys prior to using PFS. There seems to be a caveat in that which I do not completely understand yet. Maybe some of the native englisch guys might shed a light on it. I don't want to reset all passwords and change keys.
I have PFS to protect me from leaking keys.
I also ran the test, and I do not have the patch or upgrade SSL and it says
http://filippo.io/Heartbleed/#centillien.com:443
i am not expert in ssl, though i have researched ssl more than most users of it, as far as i am aware.
from memory, forward secrecy is the process of changing keys regularly, so as to prevent a breach of the encryption from effecting all communication to/from the site. with forward secrecy, each individual (or group of) communications has unique keys. so, exactly as you quoted: "should protect past communications from retrospective decryption."
however, this heartbleed bug, as i comprehend it, could/would expose a hole that would bypass all security on the server completely - and would thus then result with any amount of hacking activity being applied to the server.. meaning that any amount of malware can be implanted, which would negate any and all encrpytion until the malware is removed.
I suggest check for rootkits with rkhunter and for malware with clamav before changing all passwords, in case you used PFS. If you didn't also check, but take appropriate measures like updating open-ssl or implement PFS until the update is available from your distro.
more on nginx in relation to this here: http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/
the qualys ssl test has been updated to include a heartbleed test:
https://www.ssllabs.com/ssltest/index.html
heartbleed tsunami yet to arrive: http://news.netcraft.com/archives/2014/04/11/heartbleed-certificate-revocation-tsunami-yet-to-arrive.html
startssl threatened with losing trusted status for not offering free revocations: https://bugzilla.mozilla.org/show_bug.cgi?id=994033
- Previous
- 1
- 2
- 3
- Next
You must log in to post replies.