Heartbleed SLL bug vulnerability April 8, 2014 9:33 PM Subscribe
I've got the Chrome addon for the Heartbleed server test site and it's just given me a message saying that metafilter.com is vulnerable to the Heartbleed SSL bug. More information about the bug.
There is also an open post about it on the blue if people want to discuss the bug itself.
posted by LobsterMitten (staff) at 9:36 PM on April 8, 2014
posted by LobsterMitten (staff) at 9:36 PM on April 8, 2014
divabat, are you running any MetaFilter-related browser extensions? One of them might be loading scripts or images from an affected site.
posted by pb (staff) at 9:51 PM on April 8, 2014
posted by pb (staff) at 9:51 PM on April 8, 2014
I installed the Chrome extension and I'm not seeing any warnings. Are you getting the warning consistently with every pageview? Is it a particular page somewhere?
posted by pb (staff) at 9:59 PM on April 8, 2014
posted by pb (staff) at 9:59 PM on April 8, 2014
I don't know what this is but I'm glad we don't have it!
posted by Justinian at 9:59 PM on April 8, 2014 [3 favorites]
posted by Justinian at 9:59 PM on April 8, 2014 [3 favorites]
I don't quite recall: I was just randomly browsing through threads on Recent Activity (particularly the new MH370 thread and the thread about the untestable game) when it popped up. On a different computer now so can't replicate.
I tweeted the dev with the issue (it's also happening on Tumblr) so hopefully he can look into it.
posted by divabat at 11:13 PM on April 8, 2014
I tweeted the dev with the issue (it's also happening on Tumblr) so hopefully he can look into it.
posted by divabat at 11:13 PM on April 8, 2014
Quick, invalidate the certs!
posted by blue_beetle at 7:34 AM on April 9, 2014
posted by blue_beetle at 7:34 AM on April 9, 2014
Are MetaFilter users vulnerable to heartbleed?
quidnunc kid, boy-reporter at The Daily Meta, investigates this important story.
Dateline: Today. A new scandal has struck the palpitating core of "MetaFilter", the internet's most notorious fight-club. Users of this web-service claim to be suffering from "heartbleed", one of the telltale symptoms of liberalism. Yet the rulers of MetaFilter claim to have taken all reasonable measures to prevent such excesses of dewy-eyed compassion.
With my trusty dog-companion Snowy and alcoholic hanger-on Captain Haddock, I have investigated these reports and can reveal that MetaFilter does, indeed, cause bleeding of the heart - and users thereof are at grave risk of losing all control of their former stoic, laissez-faire attitude toward the suffering of others.
I have personally witnessed numerous examples of unsolicited "niceness", "generosity" directed toward those in distress, and even - that most vile of modern sins! - so-called "political correctness".
And yet - what had happened to Professor Calculus? We returned to Marlinspike Hall - only to find those bumbling detectives, Thomson and Thompson, waiting to arrest us, on the basis that we had stolen the the Castafiore Emerald! I need hardly tell you it was another of their ridiculous mistakes. But then Snowy turned into a giant bottle of whiskey! I woke up from this dream, and was lying in a hospital bed, pb looking over me kindly. He told me that I was suffering from Tintinitus, but I am certain that my online tool had given me a "not affected" score. But I do know this: I will NEVER stop drinking too much.
posted by the quidnunc kid at 9:15 AM on April 9, 2014 [68 favorites]
quidnunc kid, boy-reporter at The Daily Meta, investigates this important story.
Dateline: Today. A new scandal has struck the palpitating core of "MetaFilter", the internet's most notorious fight-club. Users of this web-service claim to be suffering from "heartbleed", one of the telltale symptoms of liberalism. Yet the rulers of MetaFilter claim to have taken all reasonable measures to prevent such excesses of dewy-eyed compassion.
With my trusty dog-companion Snowy and alcoholic hanger-on Captain Haddock, I have investigated these reports and can reveal that MetaFilter does, indeed, cause bleeding of the heart - and users thereof are at grave risk of losing all control of their former stoic, laissez-faire attitude toward the suffering of others.
I have personally witnessed numerous examples of unsolicited "niceness", "generosity" directed toward those in distress, and even - that most vile of modern sins! - so-called "political correctness".
And yet - what had happened to Professor Calculus? We returned to Marlinspike Hall - only to find those bumbling detectives, Thomson and Thompson, waiting to arrest us, on the basis that we had stolen the the Castafiore Emerald! I need hardly tell you it was another of their ridiculous mistakes. But then Snowy turned into a giant bottle of whiskey! I woke up from this dream, and was lying in a hospital bed, pb looking over me kindly. He told me that I was suffering from Tintinitus, but I am certain that my online tool had given me a "not affected" score. But I do know this: I will NEVER stop drinking too much.
posted by the quidnunc kid at 9:15 AM on April 9, 2014 [68 favorites]
I just got the same popup. I have no active extensions other than Chromebleed. It only popped up once, after I'd already been browsing for a bit, and did not come back on further pageloads. I'll reload a bunch and see if I can make it happen again.
posted by Turbo-B at 12:47 PM on April 9, 2014
posted by Turbo-B at 12:47 PM on April 9, 2014
Spent a few minutes clicking all over the dang place, no further problems.
posted by Turbo-B at 12:53 PM on April 9, 2014
posted by Turbo-B at 12:53 PM on April 9, 2014
So, the server's patched; we should probably all be changing our passwords now, huh?
posted by inigo2 at 1:09 PM on April 9, 2014 [1 favorite]
posted by inigo2 at 1:09 PM on April 9, 2014 [1 favorite]
Not yet inigo2. We're in the process of updating our SSL certificates. We'll announce here when that's finished.
posted by pb (staff) at 1:11 PM on April 9, 2014 [1 favorite]
posted by pb (staff) at 1:11 PM on April 9, 2014 [1 favorite]
Just for fun we need a .onion address for metafilter, giddyup pony!
posted by jeffburdges at 1:24 PM on April 9, 2014 [2 favorites]
posted by jeffburdges at 1:24 PM on April 9, 2014 [2 favorites]
Cool, thanks pb, appreciate it!
Definitely feeling for all the IT folks these days (and super glad I'm no longer in a position to be managing the certs for a few sites).
posted by inigo2 at 1:33 PM on April 9, 2014 [2 favorites]
Definitely feeling for all the IT folks these days (and super glad I'm no longer in a position to be managing the certs for a few sites).
posted by inigo2 at 1:33 PM on April 9, 2014 [2 favorites]
We updated our SSL certificates everywhere. Go ahead and change your password now.
If you're wondering what the heck this is all about, I thought Ed Felten had a nice writeup today: How to protect yourself from Heartbleed.
Basically there's no way to know if someone was able to obtain a private key from affected servers so we have to assume they did. We patched the servers on April 7th when the bug was announced and we updated the SSL certificates with new private keys today.
posted by pb (staff) at 1:38 PM on April 9, 2014 [3 favorites]
If you're wondering what the heck this is all about, I thought Ed Felten had a nice writeup today: How to protect yourself from Heartbleed.
Basically there's no way to know if someone was able to obtain a private key from affected servers so we have to assume they did. We patched the servers on April 7th when the bug was announced and we updated the SSL certificates with new private keys today.
posted by pb (staff) at 1:38 PM on April 9, 2014 [3 favorites]
There is also an open post about it on the blue if people want to discuss the bug itself.
posted by blueberry at 1:39 PM on April 9, 2014
pb, thanks for being on the case with this. Excellent service as always, A++ would comment again.
posted by arcticseal at 2:03 PM on April 9, 2014 [1 favorite]
posted by arcticseal at 2:03 PM on April 9, 2014 [1 favorite]
I'm not sure the filippo.io code is perfect. I used the Go code it runs on ("Please note that the code is a bit of a mess, not exactly release-ready") to check a site today and got back a message saying the site was vulnerable, but other testing tools said it was fine and the host confirmed they'd patched OpenSSL yesterday.
posted by yerfatma at 2:42 PM on April 9, 2014
posted by yerfatma at 2:42 PM on April 9, 2014
what happens if I don't change my password? might a hacker post better comments than I do?
posted by desjardins at 2:44 PM on April 9, 2014 [7 favorites]
posted by desjardins at 2:44 PM on April 9, 2014 [7 favorites]
They might start with a capital letter.
posted by adamvasco at 3:01 PM on April 9, 2014 [11 favorites]
posted by adamvasco at 3:01 PM on April 9, 2014 [11 favorites]
So which MetaFilter sites use SSL anyways? I only see login.metafilter.com, which I would assume is only used for logging in.
posted by smackfu at 3:20 PM on April 9, 2014
posted by smackfu at 3:20 PM on April 9, 2014
So which MetaFilter sites use SSL anyways?
There's an option in your preferences to "use secure browsing". That turns on SSL/TLS for all MetaFilter domains. We also have a domain for static components, mefi.us. And the chat server uses certificates in various places.
posted by pb (staff) at 3:27 PM on April 9, 2014 [1 favorite]
There's an option in your preferences to "use secure browsing". That turns on SSL/TLS for all MetaFilter domains. We also have a domain for static components, mefi.us. And the chat server uses certificates in various places.
posted by pb (staff) at 3:27 PM on April 9, 2014 [1 favorite]
I'm going to live dangerously and NOT change my password on Metafilter. TAKE THAT.
posted by Justinian at 5:03 PM on April 9, 2014 [5 favorites]
posted by Justinian at 5:03 PM on April 9, 2014 [5 favorites]
I'm going to change my password to be the same as Justinian's. Safety in numbers!
posted by ook at 6:06 PM on April 9, 2014 [11 favorites]
posted by ook at 6:06 PM on April 9, 2014 [11 favorites]
Qualys SSL Labs gives MeFi an A- for its server config.
posted by gingerest at 6:27 PM on April 9, 2014
posted by gingerest at 6:27 PM on April 9, 2014
I'm going to change my password to be all dots, so I can see what I'm typing.
posted by ctmf at 7:37 PM on April 9, 2014 [3 favorites]
posted by ctmf at 7:37 PM on April 9, 2014 [3 favorites]
is this where we change our password?
hunter2
posted by desjardins at 7:50 PM on April 9, 2014 [17 favorites]
hunter2
posted by desjardins at 7:50 PM on April 9, 2014 [17 favorites]
my new password is butts2, thanks mods.
posted by Ghostride The Whip at 8:11 PM on April 9, 2014 [2 favorites]
posted by Ghostride The Whip at 8:11 PM on April 9, 2014 [2 favorites]
butts4hunter2
posted by Brent Parker at 8:47 PM on April 9, 2014 [3 favorites]
posted by Brent Parker at 8:47 PM on April 9, 2014 [3 favorites]
got back a message saying the site was vulnerable
Did it actually come back with a chunk of memory contents like it's supposed to for a vulnerable site? I could see bad code failing to recognize a vulnerable server but I'm curious about how something like this could have a false positive.
posted by Nonsteroidal Anti-Inflammatory Drug at 9:40 PM on April 9, 2014
Did it actually come back with a chunk of memory contents like it's supposed to for a vulnerable site? I could see bad code failing to recognize a vulnerable server but I'm curious about how something like this could have a false positive.
posted by Nonsteroidal Anti-Inflammatory Drug at 9:40 PM on April 9, 2014
I think the tool that Chromebleed is based on has some glitches. Their FAQ mentions false positives.
The Qualys Test that someone mentioned upthread also tests for Heartbleed and MetaFilter sites are testing fine there.
posted by pb (staff) at 9:54 PM on April 9, 2014
The Qualys Test that someone mentioned upthread also tests for Heartbleed and MetaFilter sites are testing fine there.
posted by pb (staff) at 9:54 PM on April 9, 2014
Their FAQ mentions false positives.
That would explain what I noticed last night.
posted by Blazecock Pileon at 10:10 PM on April 9, 2014
That would explain what I noticed last night.
posted by Blazecock Pileon at 10:10 PM on April 9, 2014
ihuntbutts4thegloryofmefi2
posted by homunculus at 11:03 PM on April 9, 2014 [1 favorite]
posted by homunculus at 11:03 PM on April 9, 2014 [1 favorite]
Ok, I know know what this is and am still glad we don't have it. I'm sure my bank and investment firm and credit card company all run as tight a ship as pb, right? Right?
posted by Justinian at 12:18 AM on April 10, 2014
posted by Justinian at 12:18 AM on April 10, 2014
2butts2furious
posted by EndsOfInvention at 1:07 AM on April 10, 2014 [3 favorites]
posted by EndsOfInvention at 1:07 AM on April 10, 2014 [3 favorites]
butts4hunter2
And that's how the best-of-seven match ended, folks.
posted by Wolfdog at 3:39 AM on April 10, 2014
And that's how the best-of-seven match ended, folks.
posted by Wolfdog at 3:39 AM on April 10, 2014
Butt elephant.
posted by Melismata at 3:50 AM on April 10, 2014 [1 favorite]
posted by Melismata at 3:50 AM on April 10, 2014 [1 favorite]
pb: " I thought Ed Felten had a nice writeup today: How to protect yourself from Heartbleed. "
From the article: "Most of the sites you use were probably vulnerable. Your password might have been leaked from any one of them. Unless you’re sure that a site was never vulnerable, you should change your password on that site. (It’s not enough that a site is invulnerable now, because your password could have leaked before the site was fixed.)"
I suggest waiting until there is confirmation that a site has run a patch before changing one's password.
posted by zarq at 7:39 AM on April 10, 2014 [2 favorites]
From the article: "Most of the sites you use were probably vulnerable. Your password might have been leaked from any one of them. Unless you’re sure that a site was never vulnerable, you should change your password on that site. (It’s not enough that a site is invulnerable now, because your password could have leaked before the site was fixed.)"
I suggest waiting until there is confirmation that a site has run a patch before changing one's password.
posted by zarq at 7:39 AM on April 10, 2014 [2 favorites]
There are definitely false positives coming from the Chromebleed extension. I've had it ping (only once each) on reddit, wikipedia and ssllabs today, and once more on mefi.
posted by Turbo-B at 9:51 AM on April 10, 2014
posted by Turbo-B at 9:51 AM on April 10, 2014
The fact is a good bleeding can help revive a sluggish computer due to an excess of digital humours. That's what the Geek Squad guy told me, and he only charged me a piglet to do it.
posted by George_Spiggott at 9:52 AM on April 10, 2014 [4 favorites]
posted by George_Spiggott at 9:52 AM on April 10, 2014 [4 favorites]
I wish Safari's auto-suggester worked with password changes, because I have a long list now (one longer after reading this thread).
posted by immlass at 9:58 AM on April 10, 2014
posted by immlass at 9:58 AM on April 10, 2014
That's what the Geek Squad guy told me, and he only charged me a piglet to do it.
Surely the Greek Squad guy....
posted by GenjiandProust at 10:46 AM on April 10, 2014 [1 favorite]
Surely the Greek Squad guy....
posted by GenjiandProust at 10:46 AM on April 10, 2014 [1 favorite]
The certificate view in chrome shows that the certificate has a "Valid From" date of November 29, 2013. Is the new certificate just backdated, or am I somehow still getting/using the old certificate?
posted by grandsham at 12:43 PM on April 10, 2014
posted by grandsham at 12:43 PM on April 10, 2014
The new certificate has the same valid dates, yeah, because that's what we paid for.
Each certificate has a SHA1 fingerprint. That changed between the new and the old. I was using that yesterday to verify the new certificate was being served everywhere.
posted by pb (staff) at 12:50 PM on April 10, 2014 [1 favorite]
Each certificate has a SHA1 fingerprint. That changed between the new and the old. I was using that yesterday to verify the new certificate was being served everywhere.
posted by pb (staff) at 12:50 PM on April 10, 2014 [1 favorite]
Anything the mods feel the need to delete in the future was posted by some evil person who compromised my MeFi account. Not me. Certainly not me.
posted by Naberius at 1:12 PM on April 10, 2014
posted by Naberius at 1:12 PM on April 10, 2014
alcoholic hanger-on Captain Haddock
Was I the only one to become peeved that there was no reference to Mefi's own Admiral Haddock?
posted by treehorn+bunny at 1:44 PM on April 11, 2014
Was I the only one to become peeved that there was no reference to Mefi's own Admiral Haddock?
posted by treehorn+bunny at 1:44 PM on April 11, 2014
You are not logged in, either login or create an account to post comments
The online tool gives us a not affected score.
posted by pb (staff) at 9:35 PM on April 8, 2014 [3 favorites]