Welcome to Inkbunny...
Allowed ratings
To view member-only content, create an account. ( Hide )
Inkbunny

Heartbleed vulnerability

Many of you will have heard of the "Heartbleed" bug, which has been present in a widely-used security library for the last two years. Inkbunny keeps its software up to date, and so we were at risk.

On becoming aware of the issue, we applied the relevant patches, changed our internal keys, and obtained a new SSL certificate from Comodo. The site is no longer vulnerable.

Due to the nature of the bug, information passing through Inkbunny's secured channels could have been intercepted. We've had no reports of such interception, nor of any unauthorized account access. Still, if you haven't changed your Inkbunny password recently, now might be a good time.
Viewed: 1,924 times
Added: 4 years, 3 months ago
Site News Item: yes
 
Iviv
4 years, 3 months ago
Good work! Just checked if FA has been secured yet. Silly question!
Danjen
4 years, 3 months ago
They're probably not even aware of it yet, and if they are, it'll be years before anything is done.
That place is a disaster.
ProjectDarkFox
4 years, 3 months ago
They don't even use OpenSSL. They said something about it on Twitter and they were not affected whatsoever.
GreenReaper
4 years, 3 months ago
You can test a site for the vulnerability. FA does not support TLS 1.1 or higher; if it uses OpenSSL, it is probably a major version that pre-dates the vulnerability, as that was added at about the same time.
Iviv
4 years, 3 months ago
Huh, that's bizarre. I tested it with the http://filippo.io/Heartbleed test and it said that it was vulnerable, and posted a bit of the memory as proof, but now when I test it just gives an error.
frankteller
4 years, 3 months ago
They aren't secure enough to have been affected by this.
FALLOUTdogg
4 years, 3 months ago
I'm so scared right now D:
GreenReaper
4 years, 3 months ago
Don't be. We made this announcement out of an abundance of caution; it took hours for exploit code to become widely available, by which time we'd patched the server.

In addition, as we serve all site material through HTTPS, any private information would have been mixed in with the site's images and scripts. It's kinda like trying to intercept military communications by listening in for a few seconds on a random radio channel. You could get something useful, but it'll probably just be static - or worse, dubstep. ;-)
FALLOUTdogg
4 years, 3 months ago
XD haha. Ok now I'm happy, ok I see this thing saying site maintenance now. I guess I'll see this site soon again! (One hour later) I HAVE TO GET BACK ON! Lol I'm addicted to here
Furryluv19
4 years, 3 months ago
Nevermind
Danjen
4 years, 3 months ago
It says right there "we applied the relevant patches"
KNIFE
4 years, 3 months ago
Haha..Dubstep reference...wait...that's relevant! nvm. ;D
RollerCoasterViper59
4 years, 3 months ago
For now I'll keep my password the same... if worst comes to worst then I'll change it... I just hope nothing gets broken, destroyed or deleted :(
Bahlam
4 years, 3 months ago
Heartbleed? Aaaaaaaaaaaaaaaaaaa~!  Oh, okay.  🐱
KNIFE
4 years, 3 months ago
Wait..you FIXED it ALREADY!?
woah!    

Something's wrong here.....but not really. :D
Good Jorb and Thanks! :D
GreenReaper
4 years, 3 months ago
The initial patch was applied two days ago; we applied the new certificate later that day.

Vulnerabilities are reported and patched on a regular basis; this one just took a little longer than usual, as we had to take extra precautions.
OrdoLeonisVocem
4 years, 3 months ago
i'm gonna change my password right now,thank you for the info
dahan
4 years, 3 months ago
Not that it's super-important, but perhaps y'all could consider adjusting the list of SSL ciphers to prefer better ones that offer Forward Secrecy? E.g., the Mozilla-recommended list. The SSL Labs test rates IB A-, due to the lack of PFS for their list of reference browsers. I think with the cipher list change, y'all could get an A+ :)
starling
4 years, 3 months ago
The current version of Apache available to Debian Stable does not support perfect forward secrecy ciphers. We're looking at ways to install a later version of Apache so we can start using those.
dahan
4 years, 3 months ago
Ah, OK... glad to hear you guys are looking into it :)
GreenReaper
4 years, 3 months ago
What Starling said. Right now, we need to package a new version of Apache and its dependencies (possible, but has significant issues, especially with 2.4) or move to Debian testing (also possible, perhaps even easier, but opens us up to more issues like this).

There are discusssions about including a version of Apache 2.2 with ECDH support and this would also make it possible for us to support them.
GreenReaper
4 years ago
We now have an A+ rating at SSL Labs, thanks to the above upgrades and a few other tweaks.
dahan
4 years ago
Yay! :) Great job :)
SystFur
4 years, 3 months ago
I'm glad that OpenSSL and OpenSSH have implementations designed to easily have bugs fixed. At the same time, people reviewing the code can find exploits faster. Such is the nature of open source.
starling
4 years, 3 months ago
Much better than closed source for security as the NSA revelations have shown us.
jasperfox
4 years, 3 months ago
Thanks!
SharaCManasgael
4 years, 3 months ago
I was wondering why I had to log back in a moment ago, and I figured that there would be a journal here to explain it.  Funny that it should be about Heartbleed, as I just read about it for the first time earlier today on a DeviantArt member's journal.  

Thank you for the heads-up.  :)
chiro
4 years, 3 months ago
i have still the problem that i can only login when i activate private mode with my firefox <_< i am unable to login here at IB (since i have win 7) without opening a private firefox window ~w~
starling
4 years, 3 months ago
Try clearing cache and cookies and then restart browser, then try to log in again!
chiro
4 years, 3 months ago
yea, thats the problem, i did that, i even talked with the IB support about the issue
clearing the cache and cookies didnt helped, i even reinstalled firefox but still dosnt works x3
and its only in firefox. i can login normal with chrome and IE 11 =x
starling
4 years, 3 months ago
Try disabling all extensions and modules in FF and see if that helps. Then enable one by one to see which might be causing the issue.
chiro
4 years, 3 months ago
yes, that tried we aswell (while i talked to the support here x3) it changed nothing ^^ IB just kicks my firefox instant out (or logs me out) after i logged successfully in except i use the private mode x3
Valheru
4 years, 3 months ago
that is very very weird,  I can say I have window 7 and my firefox works fine.   Though I will admit i usually use chrome for inkbunny and SF.  Firefox tends to be used more for school work heh.


But I have used both for flipped purposes depending on what I might have open in the other browser.
Reizinho
4 years, 3 months ago
Ah, that's why you kids are no longer using Geotrust and Rapidssl. I noticed that yesterday and was about to ask why.
MaDrow
4 years, 3 months ago
I guess InkBunny is still in the queue of GeoTrust and RapidSSL for a new certificate. Since those are giving replacements for free.
starling
4 years, 3 months ago
We only had 1 month left on our old certificate anyway. We chose the new one because it offered the best features we require for the best cost.
AlligatorPrincess
4 years, 3 months ago
Uh, guys. I recently changed my password with the link you put in the topic and all it did was lock me out of my account. This is the error message I got bellow. I just want to let you know. I changed it back to what it was and got back in.

Error: Invalid user name or password, or login to that account from your IP (xxx.xx.xx.xxx) may be restricted by your own account settings.
starling
4 years, 3 months ago
You typed the password wrong when you changed it or when you were logging in. Be sure not to use copy/paste for either process because that can do odd things.
Toksyuryel
4 years, 3 months ago
I'm actually surprised you guys are using OpenSSL at all, y'all seem like the type to be using GnuTLS instead.
starling
4 years, 3 months ago
We use whatever Debian Stable provides. :O
GreenReaper
4 years, 3 months ago
As bad as this bug was, GnuTLS has its own issues.

It's good to have options, and for some the license may make a difference, but as a practical matter OpenSSL is likely to get more work on it from corporations. Case in point: the Heartbleed bug was discovered and reported to the OpenSSL team by Neel Mehta at Google’s security team.
Toksyuryel
4 years, 3 months ago
Yeah I didn't mean to imply that GnuTLS was without fault or even better, just that I thought you guys were the type of people who would prefer it and was surprised to learn otherwise. That's all!.
prufen
4 years, 3 months ago
I don't store my credit card information on inkbunny.
FibS
4 years, 3 months ago
Inkbunny isn't the only site affected, and even if it was, if you have shared information of any kind then it can be used against you on other sites.

Yahoo! (including Tumblr) were also affected.
Deathlight
4 years, 3 months ago
Yeah, some of my new passwords might contain profanity because of this.  Let's all go change one zillion passwords.
GreenReaper
4 years, 3 months ago
Just remember to use a different swear word for each site!
Valheru
4 years, 3 months ago
great advice.  or possibly do what my friend does and interspace 2 words  (he types one,  goes tot he start and hits 1 letter, right arrow, 1 letter, right arrow.   (so  INKBUNNY   and partycentral would interlink to  pIaNrKtByUcNeNnYtral   gets a 2 word password  (or repeat the process and add a third word)
RComplex
4 years, 3 months ago
*grey alien* Dammit! Dammit! Dammit!

I just saw this post and now changing my password. ><
GreenReaper
4 years, 3 months ago
You can watch or set "receive site news" in your account settings to see such messages sooner. :-)
RComplex
4 years, 3 months ago
>> Did not know that. ^^ Thanks for the tip!
Bloodhawk
4 years, 1 month ago
i think the wonderful thing about the Cub community is that in its self acts like a deterrent to opportunistic characters due to its un-tasteful content, also this site seems like a very back alley place for google, however recently information regrading comments are making its way to the google search engine. Also i think the profitability of gathering information from IB to be fruitless due to the fact a lot of people here will most likely keeps there personal information/security separate from the normal day to day usage of the internet just because of the social implications xD
New Comment:
Move reply box to top
Log in or create an account to comment.