Author

Topic: Is this server vulnerable to Heartbleed OpenSSL vulnerability? (Read 1140 times)

legendary
Activity: 910
Merit: 1000
★YoBit.Net★ 350+ Coins Exchange & Dice
that site does not actually check correctly.
it reported a number of sites not vulnerable that were vulnerable.
do not trust it, to check anyways.

This one which another user posted up is good and actually accurate - https://www.ssllabs.com/ssltest/analyze.html?d=bitcointalk.org

alternatively if you have a unix box with python 2.7 (if i recall correctly) just download the python script and test yourself.



legendary
Activity: 1500
Merit: 1022
I advocate the Zeitgeist Movement & Venus Project.
Hmm... I thought that the leaked memory would only include OpenSSL-specific stuff, but I did some more research and I think you're right: user passwords could have possibly been leaked, though it would have been difficult.

I'll log everyone out and add this info to the header.
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
I'm wondering, does this just test if the bug is present?
Yes.

If so, that means if the file with the bug is updated, but the certificate is not updated, it might give a false negative…
Not really a false negative because the vulnerability is not any more there. But yeh if your server was once vulnerable, you should consider the private key of the certificate as stolen and potentially even users' cookies/passwords. That's why I assume bitcointalk.org never had this vulnerability because I am sure theymos would have made a topic about it then (with a warning to change our passwords to be sure.)
legendary
Activity: 2114
Merit: 1040
A Great Time to Start Something!
...
Um you do know that bitcoin.og is both a domian name and a host name....


Thanks, I had it confused with the Linux hostname command which gives server1.example.com.
I used to set up servers "way too often", but I found a reliable VPS and haven't had to move and rebuild for almost 2.5 years.  Smiley
donator
Activity: 1218
Merit: 1079
Gerald Davis

Um you do know that bitcoin.og is both a domian name and a host name.   Most sites use a null or naked domain as their host.  There is very likely no something.bitcointalk.org.

Now if the site was forum.bitcointalk.org you couldn't enter just bitcointalk.org.

Quote
Retrieving DNS records for bitcointalk.org...
DNS servers
dns2.registrar-servers.com [208.64.122.242]
dns5.registrar-servers.com [208.64.122.242]
dns1.registrar-servers.com [173.245.58.17]
dns4.registrar-servers.com [173.245.58.17]
dns3.registrar-servers.com [69.197.21.28]

Answer records
bitcointalk.org      A   109.201.133.195   7200s

Yup only A record points to bitcointalk.org not something.bitcointalk.org
legendary
Activity: 2114
Merit: 1040
A Great Time to Start Something!
sr. member
Activity: 462
Merit: 262
Quote
All good, bitcointalk.org seems not affected!

I am getting:
Quote

bitcointalk.org IS VULNERABLE.
legendary
Activity: 2114
Merit: 1040
A Great Time to Start Something!
Yes, we need to know if the cert was changed after the server was updated.
sr. member
Activity: 431
Merit: 261

I'm wondering, does this just test if the bug is present? If so, that means if the file with the bug is updated, but the certificate is not updated, it might give a false negative… I'm just theorizing generally, not assuming that's the case with BitcoinTalk.

I think the filippo site is drowning right now, I haven't got it to give me any results lately.
EFS
staff
Activity: 3934
Merit: 2224
Crypto Swap Exchange
Quote
All good, bitcointalk.org seems not affected!
legendary
Activity: 1500
Merit: 1022
I advocate the Zeitgeist Movement & Venus Project.
Jump to: