linuxkidd
Member
This post relates to a vulnerability in an open-source software package used to provide secure web-site serving (https) among other server communication products, commonly referred to as 'heartbleed'.
We are pleased to announce that while we do use Apache and OpenSSL for encrypting all payment transactions for the Heartland Owners Club, the version of OpenSSL that we employ has never been vulnerable to the Heartbleed attack.
The quick synopsis of the issue:
* Sites using vulnerable versions of OpenSSL (provides https capability to open-source web servers) are susceptible to having a chunk of server memory returned with specially crafted requests.
* The chunk of server memory (64kb in size) could be *anything* that was in memory, to include user credentials, server's private SSL certificates, encryption keys, etc...
* MANY sites ( approximately 17.2% of all Apache/Nginx based sites ) are, or were vulnerable.
* This hole was present in OpenSSL packages available for the past 2 years.
* Server admins have been scrambling to update their servers since the announcement of this issue just a few days ago.
More details about the Heartbleed vulnerability can be found at http://heartbleed.com.
Thanks!
LK
Technical Moderator
We are pleased to announce that while we do use Apache and OpenSSL for encrypting all payment transactions for the Heartland Owners Club, the version of OpenSSL that we employ has never been vulnerable to the Heartbleed attack.
The quick synopsis of the issue:
* Sites using vulnerable versions of OpenSSL (provides https capability to open-source web servers) are susceptible to having a chunk of server memory returned with specially crafted requests.
* The chunk of server memory (64kb in size) could be *anything* that was in memory, to include user credentials, server's private SSL certificates, encryption keys, etc...
* MANY sites ( approximately 17.2% of all Apache/Nginx based sites ) are, or were vulnerable.
* This hole was present in OpenSSL packages available for the past 2 years.
* Server admins have been scrambling to update their servers since the announcement of this issue just a few days ago.
More details about the Heartbleed vulnerability can be found at http://heartbleed.com.
Thanks!
LK
Technical Moderator