Is this server vulnerable to Heartbleed OpenSSL vulnerability?

[LightRider]

www.heartbleed.com

[1715337698]

1715337698

[dserrano5]

www.heartbleed.com

http://filippo.io/Heartbleed/#bitcointalk.org

[EFS]

All good, bitcointalk.org seems not affected!

[BitPappa]

www.heartbleed.com

http://filippo.io/Heartbleed/#bitcointalk.org

I'm wondering, does this just test if the bug is present? If so, that means if the file with the bug is updated, but the certificate is not updated, it might give a false negative… I'm just theorizing generally, not assuming that's the case with BitcoinTalk.

I think the filippo site is drowning right now, I haven't got it to give me any results lately.

[Bit_Happy]

Yes, we need to know if the cert was changed after the server was updated.

[Blaater]

All good, bitcointalk.org seems not affected!

I am getting:

bitcointalk.org IS VULNERABLE.

[Bit_Happy]

www.heartbleed.com

http://filippo.io/Heartbleed/#bitcointalk.org

That site wants the hostname of a server (i.e. server1.domain.com) not just a domain name.

[DeathAndTaxes]

www.heartbleed.com

http://filippo.io/Heartbleed/#bitcointalk.org

That site wants the hostname of a server (i.e. server1.domain.com) not just a domain name.

Um you do know that bitcoin.og is both a domian name and a host name.   Most sites use a null or naked domain as their host.  There is very likely no something.bitcointalk.org.

Now if the site was forum.bitcointalk.org you couldn't enter just bitcointalk.org.

Retrieving DNS records for bitcointalk.org...
DNS servers
dns2.registrar-servers.com [208.64.122.242]
dns5.registrar-servers.com [208.64.122.242]
dns1.registrar-servers.com [173.245.58.17]
dns4.registrar-servers.com [173.245.58.17]
dns3.registrar-servers.com [69.197.21.28]

Answer records
bitcointalk.org      A   109.201.133.195   7200s

Yup only A record points to bitcointalk.org not something.bitcointalk.org

[Bit_Happy]

...
Um you do know that bitcoin.og is both a domian name and a host name....

Thanks, I had it confused with the Linux hostname command which gives server1.example.com.
I used to set up servers "way too often", but I found a reliable VPS and haven't had to move and rebuild for almost 2.5 years. 

[NLNico]

I'm wondering, does this just test if the bug is present?

Yes.

If so, that means if the file with the bug is updated, but the certificate is not updated, it might give a false negative…

Not really a false negative because the vulnerability is not any more there. But yeh if your server was once vulnerable, you should consider the private key of the certificate as stolen and potentially even users' cookies/passwords. That's why I assume bitcointalk.org never had this vulnerability because I am sure theymos would have made a topic about it then (with a warning to change our passwords to be sure.)

[LightRider]

Hmm... I thought that the leaked memory would only include OpenSSL-specific stuff, but I did some more research and I think you're right: user passwords could have possibly been leaked, though it would have been difficult.

I'll log everyone out and add this info to the header.

[Justin00]

that site does not actually check correctly.
it reported a number of sites not vulnerable that were vulnerable.
do not trust it, to check anyways.

This one which another user posted up is good and actually accurate - https://www.ssllabs.com/ssltest/analyze.html?d=bitcointalk.org

alternatively if you have a unix box with python 2.7 (if i recall correctly) just download the python script and test yourself.

www.heartbleed.com

http://filippo.io/Heartbleed/#bitcointalk.org