Search
View previous topic :: View next topic |
Author |
Message |
mario Site Admin
Joined: 03 Oct 2006 Posts: 7201
|
Posted: Wed Apr 09, 2014 11:45 am Post subject: Heartbleed SSL vulnerability |
|
|
Gixen is not affected by the Heartbleed SSL vulnerability, as Gixen front-end servers are running OpenSSL versions that are not vulnerable, and are, in fact, older than the versions affected. I will upgrade them to the latest version in the near future regardless.
I am unsure as to if eBay itself is affected, as I do not know the nature of eBay front-end servers. I believe that they used to be Microsoft-based (IIS), but that may have changed, as they no longer identify themselves. I will wait for eBay itself to have a say on this. |
|
Back to top |
|
|
Cupid
Joined: 09 Aug 2007 Posts: 7786 Location: Bristol, UK
|
Posted: Wed Apr 09, 2014 12:43 pm Post subject: |
|
|
Thank you for this announcement Mario, and well done for investigating it and assuring the users before most would even have been aware of the possibility of a problem.
It goes to show that being on what we used to refer to as the 'bleeding edge' is not the place to be for well established services like Gixen... using what has been tried and tested over a long period and not upgrading as soon as is possible (unless the new features are essential) is always the better strategy IMHO.
This looks like a major mess up by the OpenSSL team... it having been left undetected for two years just makes it even more shocking. _________________ Mark |
|
Back to top |
|
|
mario Site Admin
Joined: 03 Oct 2006 Posts: 7201
|
Posted: Wed Apr 09, 2014 12:58 pm Post subject: |
|
|
Mark,
To be completely honest, I never put much trust in SSL anyway. If you look historically (see link below), it seems that only as of fairly recently one can assume that SSL/TLS is secure, with proper combination of version and cipher.
https://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher
I wouldn't be surprised that security organizations that have know-how and resources can read through it effortlessly.
I feel much more confident about eBay security measures than ssl. In other words, what actions can an intruder do if they already have my ebay credentials that would harm me? Thanks to eBay security measures, not much, or at least not much without me noticing and being notified. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You can reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
© 2006 - 2023 Gixen.com. Forum powered by phpBB © 2001, 2005 phpBB Group.
|
|