Heartbleed?

TheDeepTheDeep Registered Users Posts: 14 Big grins
edited April 16, 2014 in Bug Reporting
Is our photo hosting at smugmug affected by heartbeat? how about the dgrin forum? Should we change our passwords? Would like to confirm that my information is safe.

Comments

  • zacHer0zacHer0 Registered Users Posts: 655 Major grins
    edited April 10, 2014
    *Heartbleed*

    SmugMug has taken the recommended actions and are no longer affected by the issue. No need to take any further action.

    I'm not sure about Dgrin but i will find out for you. I'm sure it is fine but I will double check.
    Zac Williams
    Support Hero
  • TheDeepTheDeep Registered Users Posts: 14 Big grins
    edited April 10, 2014
    Thank you for your quick reply. If Smugmug has taken action, does that meant that Smugmug was affected? If so, wouldn't that mean that we need to change our passwords now "post action"?
  • zacHer0zacHer0 Registered Users Posts: 655 Major grins
    edited April 10, 2014
    TheDeep wrote: »
    Thank you for your quick reply. If Smugmug has taken action, does that meant that Smugmug was affected? If so, wouldn't that mean that we need to change our passwords now "post action"?
    No, you do not need to change your passwords.
    Zac Williams
    Support Hero
  • zacHer0zacHer0 Registered Users Posts: 655 Major grins
    edited April 10, 2014
    Update: Dgrin was not affected.
    Zac Williams
    Support Hero
  • TheDeepTheDeep Registered Users Posts: 14 Big grins
    edited April 10, 2014
    Thank you
  • RichardRichard Administrators, Vanilla Admin Posts: 19,967 moderator
    edited April 11, 2014
    zacHer0 wrote: »
    *Heartbleed*

    SmugMug has taken the recommended actions and are no longer affected by the issue. No need to take any further action.

    I'm not sure about Dgrin but i will find out for you. I'm sure it is fine but I will double check.

    Hmmm...this is not completely reassuring, Zac. The issue for SM, Dgrin, and everybody else on the Web is whether they had been vulnerable during the two years prior to the public disclosure of the bug. Even if data are not being exposed today, they might have been in the past. So the proper question to ask any site goes back to the McCarthy era: "Are you now or have you ever been [strike]a communist[/strike] vulnerable to heartbleed ?" I suspect that most companies are not going to be completely forthcoming about it.

    Today's xkcd might help clarify the issue for non-techies:

    heartbleed_explanation.png

    If you have been following good password protection practices all along, it should not be a big deal to change the passwords of your critical accounts. If you use the same password everywhere, now would be a good time change them. deal.gif
  • RichardRichard Administrators, Vanilla Admin Posts: 19,967 moderator
    edited April 11, 2014
    zacHer0 wrote: »
    No, you do not need to change your passwords.
    Well, maybe. If SM was never vulnerable you are safe as long as you didn't use the same username and password on any other Web site. But if you did use the same password on many sites, any one of them might have exposed your data. That's why this bug is so potentially dangerous.
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited April 11, 2014
    Richard wrote: »
    Hmmm...this is not completely reassuring, Zac. The issue for SM, Dgrin, and everybody else on the Web is whether they had been vulnerable during the two years prior to the public disclosure of the bug. Even if data are not being exposed today, they might have been in the past. So the proper question to ask any site goes back to the McCarthy era: "Are you now or have you ever been [strike]a communist[/strike] vulnerable to heartbleed ?" I suspect that most companies are not going to be completely forthcoming about it.

    Today's xkcd might help clarify the issue for non-techies:

    heartbleed_explanation.png

    If you have been following good password protection practices all along, it should not be a big deal to change the passwords of your critical accounts. If you use the same password everywhere, now would be a good time change them. deal.gif
    Hi Richard,

    Our SSL provider is Akamai, who patched the bug sometime before it was publicly disclosed, because the OpenSSL team gave them advanced notice.

    To the best of my knowledge we, along with Yahoo, Facebook, Google, etc., could have been compromised without us knowing. So out of an abundance of caution it seems like a good idea to change your passwords wherever you have sensitive data.

    This mashable article looks like a pretty good reference:

    http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

    I hope this helps,
    Baldy
  • RichardRichard Administrators, Vanilla Admin Posts: 19,967 moderator
    edited April 11, 2014
    Baldy wrote: »
    Hi Richard,

    Our SSL provider is Akamai, who patched the bug sometime before it was publicly disclosed, because the OpenSSL team gave them advanced notice.

    To the best of my knowledge we, along with Yahoo, Facebook, Google, etc., could have been compromised without us knowing. So out of an abundance of caution it seems like a good idea to change your passwords wherever you have sensitive data.

    This mashable article looks like a pretty good reference:

    http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

    I hope this helps,
    Baldy
    Thanks Baldy. I appreciate your frank reply. thumb.gif
  • shandrewshandrew Administrators, Vanilla Admin Posts: 33 SmugMug Employee
    edited April 11, 2014
    If you'd like to read some high quality technical analysis of the bug, check out http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
    I work at SmugMug but these opinions are usually my own.
  • RichardRichard Administrators, Vanilla Admin Posts: 19,967 moderator
    edited April 12, 2014
    shandrew wrote: »
    If you'd like to read some high quality technical analysis of the bug, check out http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
    Interesting read, thanks. It does make it sound as if the sky isn't, in fact, falling over this one. Good to know.
  • ChancyRatChancyRat Registered Users Posts: 2,141 Major grins
    edited April 16, 2014
    Richard wrote: »
    Interesting read, thanks. It does make it sound as if the sky isn't, in fact, falling over this one. Good to know.

    It appears this site has been updated to say that the article as originally written, was wrong.
    Reference is to 12-ish today, I think. FYI.
    http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
Sign In or Register to comment.