19 Apr 2014 admin In G+ Posts

Comments: 9

  1. Olav Folland 19 Apr 2014 Reply

    I'm guessing they patched OpenSSL and revoked their old certs and then botched the new ones.

  2. Daniel Sachs 19 Apr 2014 Reply

    Many many certs were revoked after the heartbleed patch. You'll be swing this a lot in the upcoming weeks

  3. Brent Burzycki 19 Apr 2014 Reply

    +Olav Folland +Daniel Sachs – I was pretty sure (as I had to do) the patch on the server is pretty seamless…

    Its interesting they are using akamai – I would assume that's part of the issue…

    All I know is I have changed more passwords in the past week than I care to have to do again – but its a good excuse to upgrade my own security…

  4. Olav Folland 19 Apr 2014 Reply

    +Brent Burzycki the patch is seamless, but you have to revoke all your old certs because they're potentially compromised, and there's really no way to tell.

    I'm holding off on low-priority sites because of this – if you've changed your pwds you shold probably do it again once they're clean :/

  5. Daniel Sachs 19 Apr 2014 Reply

    lol – me too 😀 and I'm not even finished yet…

    The thing with the cert is that if you use services like Akamai or CloudFlare they will issue a cert for you on top or instead of the cert installed on your server. Basically it insures secure connection for static assets over the CDN. The issuing process takes a couple of days, and in between modern browsers will issue a warning because the actual cert is for Akamai or Cloudflare, and not for reddit specifically. It updates automatically after a couple of days. It's a really useful feature, as you see. Personally I also use it for websites without a local cert installed. Although the connection between the CDN/NS provider and the server isn't secure , the connection between the client and the CDN/NS provider is. Plus if you don't have issues with SSL enabled websites linking to http and breaking the cert. Obviously this is not the way to properly secure the connection, but it's a nice workaround for websites which do not require SSL and it is sort of nice-to-have and if you don't want to pay for a cert but already use a CDN/NS provider

  6. Olav Folland 19 Apr 2014 Reply

    I haven 't implemented SSL since my local sites are consumption-only. I farm out my gallery/ordering/fulfillment to a third-party via a subdomain, and handle blog commenting with a plugin that uses G+ and Facebook for security. Bringing that stuff on-site is an expensive proposition, particularly once you start talking about using Verisign or one of the similar cert services :/

  7. Brent Burzycki 19 Apr 2014 Reply

    Honestly I feel this exploit overall will probably lead to not a lot of exploits but in the end will actually strengthen the Nets overall security..

  8. Olav Folland 19 Apr 2014 Reply

    One an hope Brent, but given business' track record on security I wouldn't hold my breath.

  9. Brent Burzycki 19 Apr 2014 Reply

    With the state of security as you say…. I think we all can only hope…

Leave a Comment!

Your email address will not be published. Required fields are marked *