SSL Heartbleed bug
-
- Member
- Posts: 141
- Joined: Sun Apr 01, 2012 1:58 pm
SSL Heartbleed bug
Has the Church patched the Heartbleed bug on all its services that use SSL, yet?
-
- Community Moderators
- Posts: 3856
- Joined: Thu Jan 25, 2007 11:32 am
- Location: Dundee, Oregon, USA
Re: SSL Heartbleed bug
That's a very good question. I posted in the moderator/administrator forum that the question had been asked. I suspect others will be asking the same question. I'm not sure there will be an official answer, but I'll keep an eye out for one in case I see it before someone else posts a reference in this thread.
Meanwhile, on the Debian mailing list, I saw mention of a few sites that will test other sites for the vulnerability. I can't vouch for the integrity of the sites, and I have no connection with them, but I tried them out and the looked reasonable.
http://filippo.io/Heartbleed
https://www.ssllabs.com/ssltest/
There was also mention of a tool for scanning a complete network, and instructions on how to use it. I have not tried this tool, and I have no connection with the authors of either the tool or instructions, but I did look at the instruction page and github page. Your mileage might vary.
https://github.com/robertdavidgraham/masscan
http://blog.erratasec.com/2014/04/using ... bleed.html
Hope that helps at least a little.
Robert Riches
LDSTech Community Moderator
Meanwhile, on the Debian mailing list, I saw mention of a few sites that will test other sites for the vulnerability. I can't vouch for the integrity of the sites, and I have no connection with them, but I tried them out and the looked reasonable.
http://filippo.io/Heartbleed
https://www.ssllabs.com/ssltest/
There was also mention of a tool for scanning a complete network, and instructions on how to use it. I have not tried this tool, and I have no connection with the authors of either the tool or instructions, but I did look at the instruction page and github page. Your mileage might vary.
https://github.com/robertdavidgraham/masscan
http://blog.erratasec.com/2014/04/using ... bleed.html
Hope that helps at least a little.
Robert Riches
LDSTech Community Moderator
-
- Community Administrator
- Posts: 34503
- Joined: Sat Jan 20, 2007 2:53 pm
- Location: U.S.
Re: SSL Heartbleed bug
It should be noted that the Heartbleed bug only affects the OpenSSL cryptographic software library. It's a popular library, but by no means the only SSL library out there. If the server uses SSL other than OpenSSL and isn't based on the OpenSSL, then it's not an issue.
IOW, If SSL were a car, Chevy just got a recall but Ford owners need not be concerned. Not all SSL is a risk.
That said, I don't have an official answer about the status of the church servers or which SSL libraries they use.
IOW, If SSL were a car, Chevy just got a recall but Ford owners need not be concerned. Not all SSL is a risk.
That said, I don't have an official answer about the status of the church servers or which SSL libraries they use.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.
So we can better help you, please edit your Profile to include your general location.
So we can better help you, please edit your Profile to include your general location.
-
- Church Employee
- Posts: 3025
- Joined: Mon Feb 09, 2009 4:55 pm
- Location: Riverton, Utah
Re: SSL Heartbleed bug
Yes. The patching process is complete and a new SSL certificate has been installed for lds.org.
-
- Member
- Posts: 141
- Joined: Sun Apr 01, 2012 1:58 pm
Re: SSL Heartbleed bug
Awesome! Thank you everyone. That's really good to know about there being multiple SSLs. I knew the problem was with OpenSSL, but I wasn't sure that other SSLs existed.
-
- Member
- Posts: 141
- Joined: Sun Apr 01, 2012 1:58 pm
Re: SSL Heartbleed bug
Sorry. I meant SSL in the subject. I guess I was subconsciously thinking of shells and terminals or something when I wrote this. If someone with admin privileges could edit that, that would be awesome.
- aebrown
- Community Administrator
- Posts: 15153
- Joined: Tue Nov 27, 2007 8:48 pm
- Location: Draper, Utah
Re: SSL Heartbleed bug
Done.mark_h_dewey wrote:Sorry. I meant SSL in the subject. I guess I was subconsciously thinking of shells and terminals or something when I wrote this. If someone with admin privileges could edit that, that would be awesome.
-
- Member
- Posts: 141
- Joined: Sun Apr 01, 2012 1:58 pm
Re: SSL Heartbleed bug
Thanks! That was fast!
-
- Community Administrator
- Posts: 34503
- Joined: Sat Jan 20, 2007 2:53 pm
- Location: U.S.
Re: SSL Heartbleed bug
I did find a list of sites on the Internet that were taken before the patches rolled out:
Testing lds.org... not vulnerable.
Testing familysearch.org... not vulnerable.
So if there was a problem, it probably was only some smaller sites.
Testing lds.org... not vulnerable.
Testing familysearch.org... not vulnerable.
So if there was a problem, it probably was only some smaller sites.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.
So we can better help you, please edit your Profile to include your general location.
So we can better help you, please edit your Profile to include your general location.