Page 1 of 1

SSL Heartbleed bug

Posted: Wed Apr 09, 2014 7:16 pm
by munaish
Has the Church patched the Heartbleed bug on all its services that use SSL, yet?

Re: SSL Heartbleed bug

Posted: Wed Apr 09, 2014 9:35 pm
by rmrichesjr
That's a very good question. I posted in the moderator/administrator forum that the question had been asked. I suspect others will be asking the same question. I'm not sure there will be an official answer, but I'll keep an eye out for one in case I see it before someone else posts a reference in this thread.

Meanwhile, on the Debian mailing list, I saw mention of a few sites that will test other sites for the vulnerability. I can't vouch for the integrity of the sites, and I have no connection with them, but I tried them out and the looked reasonable.

http://filippo.io/Heartbleed

https://www.ssllabs.com/ssltest/

There was also mention of a tool for scanning a complete network, and instructions on how to use it. I have not tried this tool, and I have no connection with the authors of either the tool or instructions, but I did look at the instruction page and github page. Your mileage might vary.

https://github.com/robertdavidgraham/masscan

http://blog.erratasec.com/2014/04/using ... bleed.html

Hope that helps at least a little.

Robert Riches
LDSTech Community Moderator

Re: SSL Heartbleed bug

Posted: Wed Apr 09, 2014 9:56 pm
by russellhltn
It should be noted that the Heartbleed bug only affects the OpenSSL cryptographic software library. It's a popular library, but by no means the only SSL library out there. If the server uses SSL other than OpenSSL and isn't based on the OpenSSL, then it's not an issue.

IOW, If SSL were a car, Chevy just got a recall but Ford owners need not be concerned. Not all SSL is a risk.

That said, I don't have an official answer about the status of the church servers or which SSL libraries they use.

Re: SSL Heartbleed bug

Posted: Thu Apr 10, 2014 8:41 am
by scgallafent
Yes. The patching process is complete and a new SSL certificate has been installed for lds.org.

Re: SSL Heartbleed bug

Posted: Thu Apr 10, 2014 2:20 pm
by munaish
Awesome! Thank you everyone. That's really good to know about there being multiple SSLs. I knew the problem was with OpenSSL, but I wasn't sure that other SSLs existed.

Re: SSL Heartbleed bug

Posted: Thu Apr 10, 2014 2:23 pm
by munaish
Sorry. I meant SSL in the subject. I guess I was subconsciously thinking of shells and terminals or something when I wrote this. If someone with admin privileges could edit that, that would be awesome.

Re: SSL Heartbleed bug

Posted: Thu Apr 10, 2014 2:30 pm
by aebrown
mark_h_dewey wrote:Sorry. I meant SSL in the subject. I guess I was subconsciously thinking of shells and terminals or something when I wrote this. If someone with admin privileges could edit that, that would be awesome.
Done.

Re: SSL Heartbleed bug

Posted: Thu Apr 10, 2014 2:32 pm
by munaish
Thanks! That was fast!

Re: SSL Heartbleed bug

Posted: Thu Apr 10, 2014 2:56 pm
by russellhltn
I did find a list of sites on the Internet that were taken before the patches rolled out:

Testing lds.org... not vulnerable.
Testing familysearch.org... not vulnerable.

So if there was a problem, it probably was only some smaller sites.