Heartbleed Bug Update

Mark Hamstra | April 14, 2014

If your sysadmin friends have been missing appointments over the past week, chances are they've been working hard on patching the Heartbleed bug which was announced past Monday (April 7th). This bug in OpenSSL, an extension that handles the encryption of data when using SSL/HTTPS websites, allows anyone who's a bit savvy on the command line to dump data from the memory of the remote server. This data can include the private key behind the SSL Certificate, session cookies, but also login data. 

The modmore server makes use of OpenSSL and as a result was vulnerable for this attack as well. Shortly after the bug was announced our host, SkyToaster, took the first steps in making sure our server (and the other 40 or so they manage) was secure. After a further round of testing, the server was all patched up on April 8th. A few precautions have been taken early last week:

  • Obviously the server has been updated to run a patched version of OpenSSL. 
  • The SSL certificate has been rekeyed on Friday (with a larger key size), but due to delays at the certificate authority the new certificate has not yet been processed. We expect the new certificate to be installed (and the old one revoked) on Tuesday. Update: the new certificate has been installed.
  • All user sessions were invalidated, just in case someone did poke around and managed to get hold of someone's session cookie. 

There has been no suspicious activity in the past week to suggest our users have been targeted and had their credentials stolen. As such, there is no immediate need to change your password. If you wish to do so (it's good to change your password regularly!), you can do so in your account

If your modmore.com password is the same as your password somewhere else, we strongly recommend changing your password both on our site and any other site using the same password as soon as possible. Using a tool like LastPass or 1Password you can use random, unique passwords across the web easily. 

Our server never handles any credit card or sensitive payment information (just transaction IDs and timestamps). Below you will find statements regarding this bug from our payment providers. 

  • PayPal issued a statement here, they were not affected by the bug.
  • Mollie (iDeal Payments) were vulnerable up to Tuesday (April 8th), 8:00 local time at which point the vulnerability was resolved (see tweet). Between the announcement of the bug and the patch none of our users made transactions via Mollie/iDeal. 
  • PayMill (Credit Card Payments) was vulnerable but fixed the same day (Monday April 7th). See their statement. Between the announcement of the bug and their patch, none of our users paid with a credit card.