Sorry Sebi. As of right now, I'm not using Deckbox until is is updated against the OpenSSL Heartbleed exploit. Scanning the site on LastPass shows it is still vulnerable.

Couldn't come at a worse time for you, considering how you're busy with the market features and recovering from TCGPlayer's abrupt changes, but security comes before Magic cards.

Please send out emails when things are patched.

For anyone who doesn't know what the heck I'm talking about, google "heartbleed".

No it is not. Lastpass is notorious for false positives on Heartbleed. Please do some research before trying to cause a scare. I tested it with both Qualys Lab and filipp.io testers and it passed.

We've patched it yesterday. Not sure where you saw it's vulnerable.

http://possible.lv/tools/hb/?domain=deckbox.org

bactgudz wrote:No it is not. Lastpass is notorious for false positives on Heartbleed. Please do some research before trying to cause a scare. I tested it with both Qualys Lab and filipp.io testers and it passed.

Its true, LastPass only checks to see if OpenSSL is in use, not whether it is patched. However, Qualys Lab's test is still experimental (they admit this). I don't know anything about filippo.io.

sebi wrote:We've patched it yesterday. Not sure where you saw it's vulnerable.

First, good job on patching it.

According to LastPass, your certificates are still 6 months old. As I understand it, servers need both a patch and new certificates. Check this article (point #6) for a reference, though the article is not written for a technical audience.
http://www.motherjones.com/politics/2014/04/heartbleed-bug-internet-security-ssl

Xan wrote:

bactgudz wrote:No it is not. Lastpass is notorious for false positives on Heartbleed. Please do some research before trying to cause a scare. I tested it with both Qualys Lab and filipp.io testers and it passed.

Its true, LastPass only checks to see if OpenSSL is in use, not whether it is patched. However, Qualys Lab's test is still experimental (they admit this). I don't know anything about filippo.io.

sebi wrote:We've patched it yesterday. Not sure where you saw it's vulnerable.

First, good job on patching it.

According to LastPass, your certificates are still 6 months old. As I understand it, servers need both a patch and new certificates. Check this article (point #6) for a reference, though the article is not written for a technical audience.
http://www.motherjones.com/politics/2014/04/heartbleed-bug-internet-security-ssl

Yes, new certs will be needed, as the private key of the cert may have been compromised while Open SSL was still vulnerable.

Yep, we'll be getting new certs.

The security issues are not finished looks like, there are other vulnerabilities discovered, so it might be wise to keep current certs and buy new ones when the waters settle.