|
Title: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: LightRider on April 08, 2014, 12:05:36 PM www.heartbleed.com
Title: Re: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: dserrano5 on April 08, 2014, 12:21:13 PM www.heartbleed.com http://filippo.io/Heartbleed/#bitcointalk.org Title: Re: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: EFS on April 08, 2014, 01:13:39 PM Quote All good, bitcointalk.org seems not affected! Title: Re: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: BitPappa on April 08, 2014, 07:04:23 PM www.heartbleed.com http://filippo.io/Heartbleed/#bitcointalk.org I'm wondering, does this just test if the bug is present? If so, that means if the file with the bug is updated, but the certificate is not updated, it might give a false negative… I'm just theorizing generally, not assuming that's the case with BitcoinTalk. I think the filippo site is drowning right now, I haven't got it to give me any results lately. Title: Re: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: Bit_Happy on April 08, 2014, 10:15:26 PM Yes, we need to know if the cert was changed after the server was updated.
Title: Re: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: Blaater on April 08, 2014, 10:22:49 PM Quote All good, bitcointalk.org seems not affected! I am getting: Quote bitcointalk.org IS VULNERABLE. Title: Re: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: Bit_Happy on April 08, 2014, 10:30:12 PM www.heartbleed.com http://filippo.io/Heartbleed/#bitcointalk.org That site wants the hostname of a server (i.e. server1.domain.com) not just a domain name. Title: Re: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: DeathAndTaxes on April 08, 2014, 10:32:19 PM www.heartbleed.com http://filippo.io/Heartbleed/#bitcointalk.org That site wants the hostname of a server (i.e. server1.domain.com) not just a domain name. Um you do know that bitcoin.og is both a domian name and a host name. Most sites use a null or naked domain as their host. There is very likely no something.bitcointalk.org. Now if the site was forum.bitcointalk.org you couldn't enter just bitcointalk.org. Quote Retrieving DNS records for bitcointalk.org... DNS servers dns2.registrar-servers.com [208.64.122.242] dns5.registrar-servers.com [208.64.122.242] dns1.registrar-servers.com [173.245.58.17] dns4.registrar-servers.com [173.245.58.17] dns3.registrar-servers.com [69.197.21.28] Answer records bitcointalk.org A 109.201.133.195 7200s Yup only A record points to bitcointalk.org not something.bitcointalk.org Title: Re: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: Bit_Happy on April 09, 2014, 02:14:25 AM ... Um you do know that bitcoin.og is both a domian name and a host name.... Thanks, I had it confused with the Linux hostname command which gives server1.example.com. I used to set up servers "way too often", but I found a reliable VPS and haven't had to move and rebuild for almost 2.5 years. :) Title: Re: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: NLNico on April 09, 2014, 02:29:26 AM I'm wondering, does this just test if the bug is present? Yes.If so, that means if the file with the bug is updated, but the certificate is not updated, it might give a false negative… Not really a false negative because the vulnerability is not any more there. But yeh if your server was once vulnerable, you should consider the private key of the certificate as stolen and potentially even users' cookies/passwords. That's why I assume bitcointalk.org never had this vulnerability because I am sure theymos would have made a topic about it then (with a warning to change our passwords to be sure.)Title: Re: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: LightRider on April 15, 2014, 12:50:38 AM Hmm... I thought that the leaked memory would only include OpenSSL-specific stuff, but I did some more research and I think you're right: user passwords could have possibly been leaked, though it would have been difficult. I'll log everyone out and add this info to the header. Title: Re: Is this server vulnerable to Heartbleed OpenSSL vulnerability? Post by: Justin00 on April 15, 2014, 01:06:30 AM that site does not actually check correctly.
it reported a number of sites not vulnerable that were vulnerable. do not trust it, to check anyways. This one which another user posted up is good and actually accurate - https://www.ssllabs.com/ssltest/analyze.html?d=bitcointalk.org alternatively if you have a unix box with python 2.7 (if i recall correctly) just download the python script and test yourself. www.heartbleed.com http://filippo.io/Heartbleed/#bitcointalk.org |