"Heartbleed" vulnerability plugged.

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

User avatar
Admin
Site Admin
Site Admin
Posts: 405
Joined: 2012-05-17, 19:06

"Heartbleed" vulnerability plugged.

Unread post by Admin » 2014-04-08, 18:37

Just to let people know: All of Pale Moon's SSL-enabled services (forum login pages, XMPP server, etc. etc.) have been patched up to prevent exploitation of the heartbleed bug.
Did you know that moral outrage triggers the pleasure centers of the brain? It's unlikely you can actually get addicted to outrage, but there is plausible evidence that you can become strongly predisposed to it.
Source: https://www.bbc.co.uk/programmes/p002w557/episodes/downloads - "The cooperative species" and "Behaving better online"
Image

ParanoidGrillen

Re: "Heartbleed" vulnerability plugged.

Unread post by ParanoidGrillen » 2014-04-13, 17:46

What about new certs? As I understood, the privatekeys could have been stolen without knowledge.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: "Heartbleed" vulnerability plugged.

Unread post by Moonchild » 2014-04-13, 22:48

Most services are protected by Cloudflare (who have been vigilant in starting a staged re-issue immediately after fixing their cloud edge). The ones that aren't, are low priority and new certs will either be issued when the current ones expire (in a few months) or if I move to wildcard certs. before then.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

MozillaUser233

Re: "Heartbleed" vulnerability plugged.

Unread post by MozillaUser233 » 2014-04-15, 14:12

It's very wise to change your PW.

Not much info, but here. https://lastpass.com/heartbleed/?h=forum.palemoon.org

Ongoing discussion.

Very informative information.
https://bitcointalk.org/index.php?topic=567590.0

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35478
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: "Heartbleed" vulnerability plugged.

Unread post by Moonchild » 2014-04-15, 14:25

The lastpass "check" doesn't really say anything ;) - And no, I didn't jump on getting new certificates straight away, as said. It's low priority.
If you're worried that your password might have been stolen, you can always change your password (it's enforced once per year anyway), but considering the way the forum is set up, password details for forum logins would not be anywhere near the potentially readable server memory addresses through heartbleed.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Night Wing
Knows the dark side
Knows the dark side
Posts: 5151
Joined: 2011-10-03, 10:19
Location: Piney Woods of Southeast Texas, USA

Re: "Heartbleed" vulnerability plugged.

Unread post by Night Wing » 2014-04-15, 15:16

If my password for this site would have been compromised, I would have already noticed it a long time ago. I'm not that paranoid because of all the "sky is falling" talk going on with Heartbleed.
Linux Mint 21.3 (Virginia) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox
MX Linux 23.2 (Libretto) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox
Linux Debian 12.5 (Bookworm) Xfce w/ Linux Pale Moon, Linux Waterfox, Linux SeaLion, Linux Firefox

Daikun
Lunatic
Lunatic
Posts: 442
Joined: 2013-12-13, 20:54
Location: California

Re: "Heartbleed" vulnerability plugged.

Unread post by Daikun » 2014-04-16, 08:51

MozillaUser233 wrote:Not much info, but here. https://lastpass.com/heartbleed/?h=forum.palemoon.org
The current cert has not been seen before and we have seen older certificates, likely now safe (4 decades ago)
Holy moly! Pale Moon has been around since the 1970s!

User avatar
Admin
Site Admin
Site Admin
Posts: 405
Joined: 2012-05-17, 19:06

Re: "Heartbleed" vulnerability plugged.

Unread post by Admin » 2014-04-22, 00:08

Note: The forum is running on an OpenSSL version that was never vulnerable (0.9.8 branch) so nothing could have been compromised.

It's still a good idea to change your password if you haven't done so recently, just to be absolutely safe.
Did you know that moral outrage triggers the pleasure centers of the brain? It's unlikely you can actually get addicted to outrage, but there is plausible evidence that you can become strongly predisposed to it.
Source: https://www.bbc.co.uk/programmes/p002w557/episodes/downloads - "The cooperative species" and "Behaving better online"
Image

Locked