Heart bleed bug: Is WP compromised?
From one news site, and I’m wondering whether WP users are affected:
There is a major flaw in the security of the World Wide Web — one that has even Internet security firms feeling a little panicked.
A massive vulnerability has been found in OpenSSL, the open-source software package broadly used to encrypt Web communications. The flaw allows attackers to steal the information that is normally protected by SSL/TLS encryption, which is used to protect Web applications, e-mail communications, instant messaging (IM) and some virtual private networks (VPNs).
Essentially, that means a lot of Internet users are affected. And potentially, passwords, private communications and even credit card information could be available to hackers courtesy of this newly-discovered bug.
The blog I need help with is davidderrick.wordpress.com.
oops! I mean to post this link
WordPress.com and WordPress.org
It very likely was a WordPress.com issue, but as of right now they have updated their OpenSSL libraries and don’t appear to be vulnerable.
As for self-hosted sites, it will be on a host-by-host basis. The real people in trouble are the ones who self-manage SSL enabled sites and who aren’t yet aware of the OpenSSL vulnerability.
If WordPress.com was affected, it’s still an issue.
Changing the library is good, but the key question is whether the SSL certificate was compromised before this took place. Heartbleed can allow an attacker to get the private key of the site’s SSL certificate. Putting the fixed OpenSSL library is step one. Step two is getting a new SSL certficate. According to the one I checked today it was issued in 2010, so this has not happened yet.
We put up some fairly comprehensive coverage on heartbleed for the wordpress self hosted blogs and sites on our blog this morning.
The silence on this issue from the WordPress.com staff is disappointing. Do WordPress.com users need to reset their passwords, but before that, are we going to receive a confirmation that the old, potentially compromised SSL certificate has been replaced?
This has nothing to do with individual blogs, so the “com vs. org” discussion is a distraction. This issue affects all WordPress.com users who are users of the larger WordPress.com infrastructure (previously known as WPMU?)
Okay, in the vast silence from WordPress, I decided to just change my password and be done with it. Repeatedly, I get “Unauthorized Password Change Request” after the form says the Password can be saved. What’s happening here?
While the “Heartbleed” vulnerability is a serious one, it alone probably did not compromise much (if any) information on WordPress.com (or any other sites).
It is possible for a hacker get sensitive information from a server, but I’ve yet to see any evidence that this exploit has been seen “in the wild.” (links, anyone?)
What is most serious for a site like this is that an eavesdropper *might* get the private key and decode SSL traffic to the site, which would reveal passwords. What all news reports seem to overlook is that the hacker would need to be in a position to eavesdrop. This generally means being on the same sub-net. I can eavesdrop on my co-workers on my hall, but not the ones on other floors. I can eavesdrop on the traffic in my home, but I cannot see my neighbor’s traffic, even if they are on the same cable ISP. If your WiFi is not secured with WPA, this bug might make you vulnerable.
The PR effort that went into this announcement (heartbleed.com, logo, etc.) leads me to believe that someone has an ulterior motive. Certainly Cloudflare and others were tooting their own horns while others were scrambling to get patches out.
Like all security bugs, we need to take steps to secure our systems, such as timely updates. Like all security bugs, this is no time to panic or abandon OSS.
Password changes are a good idea. @theh2obaby – my password change went through without a glitch…
If you used the same password elsewhere, give yourself a dope-slap and go change it to something different and secure (can you google “password safe”?).
Also, regarding the “silence” from WordPress.com – they are secure and patched. There is *nothing* else they can say. They were not negligent. There is no way to know if their SSL was compromised, and even if it was, see my previous post.
colwebhelp ~ Thanks for the feedback.
@seanmwooten “The silence on this issue from the WordPress.com staff is disappointing.”
I’m afraid that’s very typical. Staff often do not even bother to read the thread on which they are commenting (when they come in at all). But here, as you say, nothing.
markjaquith is Staff. … a provider of freelance WordPress services, and a lead developer of the WordPress personal publishing platform.
Ok, then it partly take that back … markjaquith gave an excellent reply.
Ok, then I partly take that back … markjaquith gave an excellent reply.
This thread has been seriously derailed. I don’t post here often so I don’t want to get off on the wrong foot with anyone, but the majority of these posts have nothing to do with the issue at hand and are serving as a distraction.
Not to insult markjaquith or diminish his role in the WordPress community, but he is not WordPress.com staff. In relation to WordPress.com, since this is the “.com” forum as we were reminded from the beginning, the WordPress software itself is not the issue. The SSL certificate is the issue and it needs to be replaced.
This is an issue for the WordPress.com staff who operate the servers, and those are the people we should be hearing from. The staff at Google, Yahoo, Facebook, and Tumblr have all issued statements concerning how this vulnerability affects their users and if it is safe to reset user passwords. Someone from WordPress.com needs to issue a similar statement.
colwebhelp: This is good information, but I will not feel secure until WordPress.com is issued a new SSL certificate. If it is revealed that the locks on my front door are defective, the fact that no one has yet broken into my house, or that the police regularly patrol my neighborhood, isn’t an answer to the problem. The locks need to be replaced.
The topic ‘Heart bleed bug: Is WP compromised?’ is closed to new replies.