SSL Heartbleed bug

LDS Account is the primary user account (user name and password) for accessing online Church resources. This forum is a space to discuss all things related to LDS Account (registration, account recovery, user experience, vulnerabilities, etc.).
mark_h_dewey
New Member
Posts: 20
Joined: Sun Apr 01, 2012 12:58 pm

SSL Heartbleed bug

Postby mark_h_dewey » Wed Apr 09, 2014 6:16 pm

Has the Church patched the Heartbleed bug on all its services that use SSL, yet?

rmrichesjr
Community Moderators
Posts: 1038
Joined: Thu Jan 25, 2007 11:32 am
Location: Dundee, Oregon

Re: SSL Heartbleed bug

Postby rmrichesjr » Wed Apr 09, 2014 8:35 pm

That's a very good question. I posted in the moderator/administrator forum that the question had been asked. I suspect others will be asking the same question. I'm not sure there will be an official answer, but I'll keep an eye out for one in case I see it before someone else posts a reference in this thread.

Meanwhile, on the Debian mailing list, I saw mention of a few sites that will test other sites for the vulnerability. I can't vouch for the integrity of the sites, and I have no connection with them, but I tried them out and the looked reasonable.

http://filippo.io/Heartbleed

https://www.ssllabs.com/ssltest/

There was also mention of a tool for scanning a complete network, and instructions on how to use it. I have not tried this tool, and I have no connection with the authors of either the tool or instructions, but I did look at the instruction page and github page. Your mileage might vary.

https://github.com/robertdavidgraham/masscan

http://blog.erratasec.com/2014/04/using ... bleed.html

Hope that helps at least a little.

Robert Riches
LDSTech Community Moderator

russellhltn
Community Administrator
Posts: 20735
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: SSL Heartbleed bug

Postby russellhltn » Wed Apr 09, 2014 8:56 pm

It should be noted that the Heartbleed bug only affects the OpenSSL cryptographic software library. It's a popular library, but by no means the only SSL library out there. If the server uses SSL other than OpenSSL and isn't based on the OpenSSL, then it's not an issue.

IOW, If SSL were a car, Chevy just got a recall but Ford owners need not be concerned. Not all SSL is a risk.

That said, I don't have an official answer about the status of the church servers or which SSL libraries they use.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

scgallafent
Church Employee
Church Employee
Posts: 1043
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

Re: SSL Heartbleed bug

Postby scgallafent » Thu Apr 10, 2014 7:41 am

Yes. The patching process is complete and a new SSL certificate has been installed for lds.org.

mark_h_dewey
New Member
Posts: 20
Joined: Sun Apr 01, 2012 12:58 pm

Re: SSL Heartbleed bug

Postby mark_h_dewey » Thu Apr 10, 2014 1:20 pm

Awesome! Thank you everyone. That's really good to know about there being multiple SSLs. I knew the problem was with OpenSSL, but I wasn't sure that other SSLs existed.

mark_h_dewey
New Member
Posts: 20
Joined: Sun Apr 01, 2012 12:58 pm

Re: SSL Heartbleed bug

Postby mark_h_dewey » Thu Apr 10, 2014 1:23 pm

Sorry. I meant SSL in the subject. I guess I was subconsciously thinking of shells and terminals or something when I wrote this. If someone with admin privileges could edit that, that would be awesome.

User avatar
aebrown
Community Administrator
Posts: 14689
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Re: SSL Heartbleed bug

Postby aebrown » Thu Apr 10, 2014 1:30 pm

mark_h_dewey wrote:Sorry. I meant SSL in the subject. I guess I was subconsciously thinking of shells and terminals or something when I wrote this. If someone with admin privileges could edit that, that would be awesome.

Done.

mark_h_dewey
New Member
Posts: 20
Joined: Sun Apr 01, 2012 12:58 pm

Re: SSL Heartbleed bug

Postby mark_h_dewey » Thu Apr 10, 2014 1:32 pm

Thanks! That was fast!

russellhltn
Community Administrator
Posts: 20735
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: SSL Heartbleed bug

Postby russellhltn » Thu Apr 10, 2014 1:56 pm

I did find a list of sites on the Internet that were taken before the patches rolled out:

Testing lds.org... not vulnerable.
Testing familysearch.org... not vulnerable.

So if there was a problem, it probably was only some smaller sites.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.


Return to “LDS Account”

Who is online

Users browsing this forum: Bing [Bot] and 1 guest