Results 1 to 18 of 18
  1. #1
    ABW Ambassador isellstuff's Avatar
    Join Date
    November 9th, 2005
    Location
    Virginia
    Posts
    1,659
    OpenSSL Heartbeat and the News
    I was driving around this afternoon listening to NPR on the radio and I kept hearing commentators repeatedly say the only way to avoid the OpenSSL Heartbeat vulnerability was to stay off the Internet. Needless to say, that kind of sensationalism can't be good for sales.

  2. Thanks From:

  3. #2
    OPM and Moderator Chuck Hamrick's Avatar
    Join Date
    April 5th, 2005
    Location
    Park City Utah
    Posts
    16,646
    I got an email on the subject and glanced right past it: R+p ALERT! SSL Security Bug Means You Need To Act Now - mThink

    So are we supposed to stay off the Internet while someone figures this out?

  4. #3
    ABW Ambassador isellstuff's Avatar
    Join Date
    November 9th, 2005
    Location
    Virginia
    Posts
    1,659
    The problem is that the fix must be rolled out to all servers that rely on OpenSSL and then the website owners need to buy new security certificates.

    Unfortunately, the Apache Web Server uses OpenSSL. Apache is very widely used.

    I mean its a huge mess. Maybe the biggest Internet bug ever. Its not good for e-commerce sales which all use https, which is essentially HTTP within SSL. The problem is that this issue is getting a lot of publicity. A certain percentage of the population might stop shopping online for a few weeks or longer.

  5. #4
    ABW Ambassador Bob Lawrence's Avatar
    Join Date
    July 2nd, 2007
    Posts
    1,090
    And to think it's been that way for over 2 years is what I read somewhere.
    My hosting company applied the patch to our yesterday.
    Where's the Great Life of Affiliate Marketing Hiding?

  6. #5
    What's the word? Rhia7's Avatar
    Join Date
    January 13th, 2006
    Posts
    9,578
    ~Rhia7 -- Remember the 7
    Twitter me

  7. #6
    What's the word? Rhia7's Avatar
    Join Date
    January 13th, 2006
    Posts
    9,578
    Check the websites possibly affected by the Heartbleed Bug:

    Which Websites are Affected by the Heartbleed OpenSSL Encryption Bug? | Digital Trends
    ~Rhia7 -- Remember the 7
    Twitter me


  8. #7
    Outsourced Program Manager John Jupp's Avatar
    Join Date
    January 23rd, 2005
    Location
    England
    Posts
    1,502
    Fixed my servers 48 hours ago, won't bother with new certificates for now.
    Flambi Media Limited - USA/UK/EU Affiliate Management Expertise

  9. #8
    ABW Ambassador VampireSkunk's Avatar
    Join Date
    May 24th, 2007
    Location
    South East Asia
    Posts
    1,045
    I'm not an encryption expert, but I believe all computer encryption is based on the assumption that it is impossible to calculate prime numbers. (Somebody please correct if this is wrong.) The great maverick scientist James McCanney has published an apparently simple formula for doing precisely that.
    The NSA has ALWAYS been accessing encrypted data.
    (They say I'm paranoid.)

  10. #9
    ABW Ambassador
    Join Date
    January 4th, 2006
    Location
    USA
    Posts
    2,477
    I read some people said to not to login to any secure accounts until Friday, then change passwords.

    Is that so bad?

  11. #10
    ...and a Pirate's heart. Convergence's Avatar
    Join Date
    June 24th, 2005
    Posts
    6,918
    No need to purchase NEW SSL certs if you have paid for them already - just rekey.

    If you've been using a self-signed cert on your server then you should probably stop and PURCHASE a cert.

    Have already run into sites, ie: DomainTools that had us log in and reset our passwords. Yesterday, for a few hours, PayPal was forcing us to enter a CAPTCHA phrase - that stopped early evening...
    Salty kisses, Sandy toes, and a Pirate's heart...

  12. Thanks From:

  13. #11
    ABW Ambassador isellstuff's Avatar
    Join Date
    November 9th, 2005
    Location
    Virginia
    Posts
    1,659
    Thanks Convergence, I've never had to re-issue the keys and I didn't know it was possible. Actually don't run a secure website now-a-days. Only had to do this for my day job eight years ago.

  14. #12
    Newbie
    Join Date
    January 6th, 2013
    Posts
    14
    If you guys use LastPass (I do) they have a feature where they scan sites you have passwords for that may have heartbleed issues.

    LastPass Now Tells You Which Heartbleed-Affected Passwords to Change

  15. #13
    ABW Ambassador isellstuff's Avatar
    Join Date
    November 9th, 2005
    Location
    Virginia
    Posts
    1,659
    Quote Originally Posted by cseo View Post
    If you guys use LastPass (I do) they have a feature where they scan sites you have passwords for that may have heartbleed issues.

    LastPass Now Tells You Which Heartbleed-Affected Passwords to Change
    Thanks for the tip, I do use lastpass!

  16. #14
    Moderator
    Join Date
    October 16th, 2007
    Location
    Neenah, WI
    Posts
    682
    Site: www abestweb com
    Server software: Apache
    Vulnerable: Likely (known use OpenSSL)
    SSL Certificate: Unsafe (created 1 year ago at Nov 28 16:39:21 2012 GMT)
    Assessment: Wait for the site to update before changing your password

  17. Thanks From:

  18. #15
    The affiliate formerly known as ojmoo
    Join Date
    January 18th, 2005
    Posts
    1,466
    Wink
    Change my ABW password??? I don't even know what my ABW password is. I'm not going to do it, and remember if I piss off any of you, it wasn't me ;-)
    Expert who says Moo

    a.k.a. OJMOO

    Cow Dance


  19. #16
    ABW Ambassador JoyUnltd's Avatar
    Join Date
    January 19th, 2005
    Location
    Emerald City
    Posts
    2,019
    I checked a few sites at LastPass & it's not lookin' good:

    Site: cj.com
    Server software: Apache
    Vulnerable: Likely (known use OpenSSL)
    SSL Certificate: Possibly Unsafe (created 11 months ago at May 8 21:30:02 2013 GMT)
    Assessment: Wait for the site to update before changing your password

    Site: shareasale.com
    Server software: Microsoft-IIS/7.0
    Vulnerable: No (does not use OpenSSL)
    SSL Certificate: Safe (regenerated 9 months ago)
    Assessment: This server was not vulnerable, no need to change your password unless you have used it on any other site!

    Site: linkshare.com
    Server software: Apache/2.2.3 (Red Hat)
    Vulnerable: Likely (known use OpenSSL)
    SSL Certificate: Possibly Unsafe (created 2 months ago at Feb 24 00:00:00 2014 GMT)
    Assessment: Wait for the site to update before changing your password

    Site: avantlink.com
    Server software: Apache
    Vulnerable: Likely (known use OpenSSL)
    SSL Certificate: Possibly Unsafe (created 1 month ago at Feb 25 19:58:07 2014 GMT)
    Assessment: Wait for the site to update before changing your password

    Site: affiliatewindow.com
    Server software: nginx
    Vulnerable: Likely (known use OpenSSL)
    SSL Certificate: Possibly Unsafe (created 11 months ago at May 1 12:08:33 2013 GMT)
    Assessment: Wait for the site to update before changing your password


    Site: popshops.com
    Server software: nginx + Phusion Passenger 4.0.2
    Vulnerable: Likely (known use OpenSSL)
    SSL Certificate: Possibly Unsafe (created 10 months ago at May 30 00:00:00 2013 GMT)
    Assessment: Wait for the site to update before changing your password

    Site: goldencan.com
    Server software: Microsoft-IIS/7.5
    Vulnerable: No (does not use OpenSSL)
    SSL Certificate: Safe (regenerated 2 years ago)
    Assessment: This server was not vulnerable, no need to change your password unless you have used it on any other site!

    Site: prosperent.com
    Server software: cloudflare-nginx
    Vulnerable: Likely (known use OpenSSL)
    SSL Certificate: Now Safe (created 2 days ago at Apr 8 22:12:16 2014 GMT)
    Assessment: Change your password on this site if your last password change was more than 2 days ago


    WARNING: google.com was confirmed as vulnerable either publicly via statement or on 4/8/2014 LINK

    Site: google.com
    Server software: Not reported
    Vulnerable: Possibly (might use OpenSSL)
    SSL Certificate: Possibly Unsafe (created 1 week ago at Apr 2 15:25:33 2014 GMT)
    Assessment: Wait for the site to update before changing your password

    A quick hit list from Mashable.
    Renée
    Pay no attention to that woman behind the curtain. -Wizardress of Oz

  20. #17
    Affiliate Network Rep JCrooks - AffiliateWindow's Avatar
    Join Date
    March 7th, 2007
    Location
    Denver, CO
    Posts
    4,988
    Hey Renee, thanks for checking. I wanted to update everyone on Affiliate Window's response to this situation. We actually posted something in the Affiliate Window forum on ABW early this morning about this, because we take it very seriously.

    Bottom line is that AWin employs advanced cryptography techniques to ensure that even if an attacker had managed to steal these secret SSL keys, the attacker would not be able to use this to decrypt other users connections, so your data continues to be protected.

    In order to ensure that in the unlikely event someone has stolen our SSL keys, they would be unable to use them, we are working with the global certificate authorities to replace these keys with new ones, and revoke the old ones.

    No action is required from your part, and please be reassured that your data continues to be protected.

    If you have any questions about this issue on Affiliate Window, just let me know.
    Jeannine Crooks - Always happy to share what I know! - Voted Best Network Rep 2013 & 2014
    Email | LinkedIn | Twitter | Affiliate Window
    US Programs | Canada Programs | UK Programs | Ireland Programs | Mainland Europe Programs

  21. Thanks From:

  22. #18
    ABW Ambassador JoyUnltd's Avatar
    Join Date
    January 19th, 2005
    Location
    Emerald City
    Posts
    2,019
    TY Jeannine! I'm sure this type of breach won't be the last one everyone has to weather.
    Renée
    Pay no attention to that woman behind the curtain. -Wizardress of Oz


  23. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. The bad news and the good news
    By Joe Lilly in forum Midnight Cafe'
    Replies: 16
    Last Post: December 18th, 2006, 03:32 PM
  2. Replies: 4
    Last Post: January 21st, 2003, 12:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •