+Brent Burzycki the patch is seamless, but you have to revoke all your old certs because they're potentially compromised, and there's really no way to tell.
I'm holding off on low-priority sites because of this – if you've changed your pwds you shold probably do it again once they're clean :/
The thing with the cert is that if you use services like Akamai or CloudFlare they will issue a cert for you on top or instead of the cert installed on your server. Basically it insures secure connection for static assets over the CDN. The issuing process takes a couple of days, and in between modern browsers will issue a warning because the actual cert is for Akamai or Cloudflare, and not for reddit specifically. It updates automatically after a couple of days. It's a really useful feature, as you see. Personally I also use it for websites without a local cert installed. Although the connection between the CDN/NS provider and the server isn't secure , the connection between the client and the CDN/NS provider is. Plus if you don't have issues with SSL enabled websites linking to http and breaking the cert. Obviously this is not the way to properly secure the connection, but it's a nice workaround for websites which do not require SSL and it is sort of nice-to-have and if you don't want to pay for a cert but already use a CDN/NS provider
I haven 't implemented SSL since my local sites are consumption-only. I farm out my gallery/ordering/fulfillment to a third-party via a subdomain, and handle blog commenting with a plugin that uses G+ and Facebook for security. Bringing that stuff on-site is an expensive proposition, particularly once you start talking about using Verisign or one of the similar cert services :/
I'm guessing they patched OpenSSL and revoked their old certs and then botched the new ones.
Many many certs were revoked after the heartbleed patch. You'll be swing this a lot in the upcoming weeks
+Olav Folland +Daniel Sachs – I was pretty sure (as I had to do) the patch on the server is pretty seamless…
Its interesting they are using akamai – I would assume that's part of the issue…
All I know is I have changed more passwords in the past week than I care to have to do again – but its a good excuse to upgrade my own security…
+Brent Burzycki the patch is seamless, but you have to revoke all your old certs because they're potentially compromised, and there's really no way to tell.
I'm holding off on low-priority sites because of this – if you've changed your pwds you shold probably do it again once they're clean :/
lol – me too 😀 and I'm not even finished yet…
The thing with the cert is that if you use services like Akamai or CloudFlare they will issue a cert for you on top or instead of the cert installed on your server. Basically it insures secure connection for static assets over the CDN. The issuing process takes a couple of days, and in between modern browsers will issue a warning because the actual cert is for Akamai or Cloudflare, and not for reddit specifically. It updates automatically after a couple of days. It's a really useful feature, as you see. Personally I also use it for websites without a local cert installed. Although the connection between the CDN/NS provider and the server isn't secure , the connection between the client and the CDN/NS provider is. Plus if you don't have issues with SSL enabled websites linking to http and breaking the cert. Obviously this is not the way to properly secure the connection, but it's a nice workaround for websites which do not require SSL and it is sort of nice-to-have and if you don't want to pay for a cert but already use a CDN/NS provider
I haven 't implemented SSL since my local sites are consumption-only. I farm out my gallery/ordering/fulfillment to a third-party via a subdomain, and handle blog commenting with a plugin that uses G+ and Facebook for security. Bringing that stuff on-site is an expensive proposition, particularly once you start talking about using Verisign or one of the similar cert services :/
Honestly I feel this exploit overall will probably lead to not a lot of exploits but in the end will actually strengthen the Nets overall security..
One an hope Brent, but given business' track record on security I wouldn't hold my breath.
With the state of security as you say…. I think we all can only hope…