• Xan
  • Member
  • Offline

Topic: Heartbleed Security

Sorry Sebi. As of right now, I'm not using Deckbox until is is updated against the OpenSSL Heartbleed exploit. Scanning the site on LastPass shows it is still vulnerable.

Couldn't come at a worse time for you, considering how you're busy with the market features and recovering from TCGPlayer's abrupt changes, but security comes before Magic cards.

Please send out emails when things are patched.

For anyone who doesn't know what the heck I'm talking about, google "heartbleed".

Post's attachments

lastpass.png 36.34 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Re: Heartbleed Security

No it is not. Lastpass is notorious for false positives on Heartbleed.  Please do some research before trying to cause a scare.  I tested it with both Qualys Lab and filipp.io testers and it passed.

Re: Heartbleed Security

We've patched it yesterday. Not sure where you saw it's vulnerable.

Re: Heartbleed Security

http://possible.lv/tools/hb/?domain=deckbox.org

  • Xan
  • Member
  • Offline

Re: Heartbleed Security

bactgudz wrote:

No it is not. Lastpass is notorious for false positives on Heartbleed.  Please do some research before trying to cause a scare.  I tested it with both Qualys Lab and filipp.io testers and it passed.

Its true, LastPass only checks to see if OpenSSL is in use, not whether it is patched. However, Qualys Lab's test is still experimental (they admit this). I don't know anything about filippo.io.

sebi wrote:

We've patched it yesterday. Not sure where you saw it's vulnerable.

First, good job on patching it.

According to LastPass, your certificates are still 6 months old. As I understand it, servers need both a patch and new certificates. Check this article (point #6) for a reference, though the article is not written for a technical audience.
http://www.motherjones.com/politics/201 … curity-ssl

Re: Heartbleed Security

Xan wrote:
bactgudz wrote:

No it is not. Lastpass is notorious for false positives on Heartbleed.  Please do some research before trying to cause a scare.  I tested it with both Qualys Lab and filipp.io testers and it passed.

Its true, LastPass only checks to see if OpenSSL is in use, not whether it is patched. However, Qualys Lab's test is still experimental (they admit this). I don't know anything about filippo.io.

sebi wrote:

We've patched it yesterday. Not sure where you saw it's vulnerable.

First, good job on patching it.

According to LastPass, your certificates are still 6 months old. As I understand it, servers need both a patch and new certificates. Check this article (point #6) for a reference, though the article is not written for a technical audience.
http://www.motherjones.com/politics/201 … curity-ssl

Yes, new certs will be needed, as the private key of the cert may have been compromised while Open SSL was still vulnerable.

Profile - Wishlist - Tradelist

Black and Blue--not just for bruises anymore.

Re: Heartbleed Security

Yep, we'll be getting new certs.

The security issues are not finished looks like, there are other vulnerabilities discovered, so it might be wise to keep current certs and buy new ones when the waters settle.