SSL Heartbleed bug

Church Account is the primary user account (user name and password) for accessing online Church resources. Church Account was formerly known as LDS Account. This forum is a space to discuss all things related to Church Accounts (registration, account recovery, user experience, vulnerabilities, etc.).
Post Reply
munaish
Member
Posts: 137
Joined: Sun Apr 01, 2012 1:58 pm

SSL Heartbleed bug

#1

Post by munaish »

Has the Church patched the Heartbleed bug on all its services that use SSL, yet?
rmrichesjr
Community Moderators
Posts: 3829
Joined: Thu Jan 25, 2007 11:32 am
Location: Dundee, Oregon, USA

Re: SSL Heartbleed bug

#2

Post by rmrichesjr »

That's a very good question. I posted in the moderator/administrator forum that the question had been asked. I suspect others will be asking the same question. I'm not sure there will be an official answer, but I'll keep an eye out for one in case I see it before someone else posts a reference in this thread.

Meanwhile, on the Debian mailing list, I saw mention of a few sites that will test other sites for the vulnerability. I can't vouch for the integrity of the sites, and I have no connection with them, but I tried them out and the looked reasonable.

http://filippo.io/Heartbleed

https://www.ssllabs.com/ssltest/

There was also mention of a tool for scanning a complete network, and instructions on how to use it. I have not tried this tool, and I have no connection with the authors of either the tool or instructions, but I did look at the instruction page and github page. Your mileage might vary.

https://github.com/robertdavidgraham/masscan

http://blog.erratasec.com/2014/04/using ... bleed.html

Hope that helps at least a little.

Robert Riches
LDSTech Community Moderator
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: SSL Heartbleed bug

#3

Post by russellhltn »

It should be noted that the Heartbleed bug only affects the OpenSSL cryptographic software library. It's a popular library, but by no means the only SSL library out there. If the server uses SSL other than OpenSSL and isn't based on the OpenSSL, then it's not an issue.

IOW, If SSL were a car, Chevy just got a recall but Ford owners need not be concerned. Not all SSL is a risk.

That said, I don't have an official answer about the status of the church servers or which SSL libraries they use.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
scgallafent
Church Employee
Church Employee
Posts: 3025
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

Re: SSL Heartbleed bug

#4

Post by scgallafent »

Yes. The patching process is complete and a new SSL certificate has been installed for lds.org.
munaish
Member
Posts: 137
Joined: Sun Apr 01, 2012 1:58 pm

Re: SSL Heartbleed bug

#5

Post by munaish »

Awesome! Thank you everyone. That's really good to know about there being multiple SSLs. I knew the problem was with OpenSSL, but I wasn't sure that other SSLs existed.
munaish
Member
Posts: 137
Joined: Sun Apr 01, 2012 1:58 pm

Re: SSL Heartbleed bug

#6

Post by munaish »

Sorry. I meant SSL in the subject. I guess I was subconsciously thinking of shells and terminals or something when I wrote this. If someone with admin privileges could edit that, that would be awesome.
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

Re: SSL Heartbleed bug

#7

Post by aebrown »

mark_h_dewey wrote:Sorry. I meant SSL in the subject. I guess I was subconsciously thinking of shells and terminals or something when I wrote this. If someone with admin privileges could edit that, that would be awesome.
Done.
munaish
Member
Posts: 137
Joined: Sun Apr 01, 2012 1:58 pm

Re: SSL Heartbleed bug

#8

Post by munaish »

Thanks! That was fast!
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: SSL Heartbleed bug

#9

Post by russellhltn »

I did find a list of sites on the Internet that were taken before the patches rolled out:

Testing lds.org... not vulnerable.
Testing familysearch.org... not vulnerable.

So if there was a problem, it probably was only some smaller sites.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
Post Reply

Return to “Church Account”