Many of you will have heard of the "Heartbleed" bug, which has been present in a widely-used security library for the last two years. Inkbunny keeps its software up to date, and so we were at risk.
On becoming aware of the issue, we applied the relevant patches, changed our internal keys, and obtained a new SSL certificate from Comodo. The site is no longer vulnerable.
Due to the nature of the bug, information passing through Inkbunny's secured channels could have been intercepted. We've had no reports of such interception, nor of any unauthorized account access. Still, if you haven't changed your Inkbunny password recently, now might be a good time.
Huh, that's bizarre. I tested it with the http://filippo.io/Heartbleed test and it said that it was vulnerable, and posted a bit of the memory as proof, but now when I test it just gives an error.
Huh, that's bizarre. I tested it with the http://filippo.io/Heartbleed test and it said that it was
Don't be. We made this announcement out of an abundance of caution; it took hours for exploit code to become widely available, by which time we'd patched the server.
In addition, as we serve all site material through HTTPS, any private information would have been mixed in with the site's images and scripts. It's kinda like trying to intercept military communications by listening in for a few seconds on a random radio channel. You could get something useful, but it'll probably just be static - or worse, dubstep. ;-)
Don't be. We made this announcement out of an abundance of caution; it took hours for exploit code t
XD haha. Ok now I'm happy, ok I see this thing saying site maintenance now. I guess I'll see this site soon again! (One hour later) I HAVE TO GET BACK ON! Lol I'm addicted to here
XD haha. Ok now I'm happy, ok I see this thing saying site maintenance now. I guess I'll see this si
Not that it's super-important, but perhaps y'all could consider adjusting the list of SSL ciphers to prefer better ones that offer Forward Secrecy? E.g., the Mozilla-recommended list. The SSL Labs test rates IB A-, due to the lack of PFS for their list of reference browsers. I think with the cipher list change, y'all could get an A+ :)
Not that it's super-important, but perhaps y'all could consider adjusting the list of SSL ciphers to
What Starling said. Right now, we need to package a new version of Apache and its dependencies (possible, but has significant issues, especially with 2.4) or move to Debian testing (also possible, perhaps even easier, but opens us up to more issues like this).
I'm glad that OpenSSL and OpenSSH have implementations designed to easily have bugs fixed. At the same time, people reviewing the code can find exploits faster. Such is the nature of open source.
I'm glad that OpenSSL and OpenSSH have implementations designed to easily have bugs fixed. At the sa
I was wondering why I had to log back in a moment ago, and I figured that there would be a journal here to explain it. Funny that it should be about Heartbleed, as I just read about it for the first time earlier today on a DeviantArt member's journal.
Thank you for the heads-up. :)
I was wondering why I had to log back in a moment ago, and I figured that there would be a journal h
Uh, guys. I recently changed my password with the link you put in the topic and all it did was lock me out of my account. This is the error message I got bellow. I just want to let you know. I changed it back to what it was and got back in.
Error: Invalid user name or password, or login to that account from your IP (xxx.xx.xx.xxx) may be restricted by your own account settings.
Uh, guys. I recently changed my password with the link you put in the topic and all it did was lock
It's good to have options, and for some the license may make a difference, but as a practical matter OpenSSL is likely to get more work on it from corporations. Case in point: the Heartbleed bug was discovered and reported to the OpenSSL team by Neel Mehta at Google’s security team.
As bad as this bug was, GnuTLS has its own issues ( http://www.zdnet.com/gnutls-big-internal-bugs-fe
Yeah I didn't mean to imply that GnuTLS was without fault or even better, just that I thought you guys were the type of people who would prefer it and was surprised to learn otherwise. That's all!.
Yeah I didn't mean to imply that GnuTLS was without fault or even better, just that I thought you gu
great advice. or possibly do what my friend does and interspace 2 words (he types one, goes tot he start and hits 1 letter, right arrow, 1 letter, right arrow. (so INKBUNNY and partycentral would interlink to pIaNrKtByUcNeNnYtral gets a 2 word password (or repeat the process and add a third word)
great advice. or possibly do what my friend does and interspace 2 words (he types one, goes tot h
i think the wonderful thing about the Cub community is that in its self acts like a deterrent to opportunistic characters due to its un-tasteful content, also this site seems like a very back alley place for google, however recently information regrading comments are making its way to the google search engine. Also i think the profitability of gathering information from IB to be fruitless due to the fact a lot of people here will most likely keeps there personal information/security separate from the normal day to day usage of the internet just because of the social implications xD
i think the wonderful thing about the Cub community is that in its self acts like a deterrent to opp
