Heart bleed bug: Is WP compromised?

  • Author
    Posts
  • #1738847

    davidderrick
    Member

    From one news site, and I’m wondering whether WP users are affected:

    There is a major flaw in the security of the World Wide Web — one that has even Internet security firms feeling a little panicked.
    A massive vulnerability has been found in OpenSSL, the open-source software package broadly used to encrypt Web communications. The flaw allows attackers to steal the information that is normally protected by SSL/TLS encryption, which is used to protect Web applications, e-mail communications, instant messaging (IM) and some virtual private networks (VPNs).
    Essentially, that means a lot of Internet users are affected. And potentially, passwords, private communications and even credit card information could be available to hackers courtesy of this newly-discovered bug.

    The blog I need help with is davidderrick.wordpress.com.

    #1738971

    The de facto test tool for this is available here:
    http://filippo.io/Heartbleed

    According to the tool, your domain is not affected.

    #1738973

    timethief
    Member

    @davidderrick
    This is not a WordPress.COM issue. Please remove the modlook tag. You are confusing WordPress.COM blogs hosted on this blogging platform and WordPress.ORG installs.
    http://en.support.wordpress.com/com-vs-org/

    #1738974

    timethief
    Member

    oops! I mean to post this link
    WordPress.com and WordPress.org
    http://en.support.wordpress.com/com-vs-org/

    #1738999

    markjaquith
    Member

    It very likely was a WordPress.com issue, but as of right now they have updated their OpenSSL libraries and don’t appear to be vulnerable.

    As for self-hosted sites, it will be on a host-by-host basis. The real people in trouble are the ones who self-manage SSL enabled sites and who aren’t yet aware of the OpenSSL vulnerability.

    #1739000

    timethief
    Member

    @markjaquith
    Hi there and thanks so much for the clarity on that.

    #1739022

    conficient
    Member

    If WordPress.com was affected, it’s still an issue.

    Changing the library is good, but the key question is whether the SSL certificate was compromised before this took place. Heartbleed can allow an attacker to get the private key of the site’s SSL certificate. Putting the fixed OpenSSL library is step one. Step two is getting a new SSL certficate. According to the one I checked today it was issued in 2010, so this has not happened yet.

    #1739027

    mmaunder
    Member

    We put up some fairly comprehensive coverage on heartbleed for the wordpress self hosted blogs and sites on our blog this morning.

    Regards,

    Mark.

    #1739028

    seanmwooten
    Member

    The silence on this issue from the WordPress.com staff is disappointing. Do WordPress.com users need to reset their passwords, but before that, are we going to receive a confirmation that the old, potentially compromised SSL certificate has been replaced?

    This has nothing to do with individual blogs, so the “com vs. org” discussion is a distraction. This issue affects all WordPress.com users who are users of the larger WordPress.com infrastructure (previously known as WPMU?)

    #1739029

    theh2obaby
    Member

    Okay, in the vast silence from WordPress, I decided to just change my password and be done with it. Repeatedly, I get “Unauthorized Password Change Request” after the form says the Password can be saved. What’s happening here?

    #1739030

    colwebhelp
    Member

    While the “Heartbleed” vulnerability is a serious one, it alone probably did not compromise much (if any) information on WordPress.com (or any other sites).
    It is possible for a hacker get sensitive information from a server, but I’ve yet to see any evidence that this exploit has been seen “in the wild.” (links, anyone?)
    What is most serious for a site like this is that an eavesdropper *might* get the private key and decode SSL traffic to the site, which would reveal passwords. What all news reports seem to overlook is that the hacker would need to be in a position to eavesdrop. This generally means being on the same sub-net. I can eavesdrop on my co-workers on my hall, but not the ones on other floors. I can eavesdrop on the traffic in my home, but I cannot see my neighbor’s traffic, even if they are on the same cable ISP. If your WiFi is not secured with WPA, this bug might make you vulnerable.
    The PR effort that went into this announcement (heartbleed.com, logo, etc.) leads me to believe that someone has an ulterior motive. Certainly Cloudflare and others were tooting their own horns while others were scrambling to get patches out.
    Like all security bugs, we need to take steps to secure our systems, such as timely updates. Like all security bugs, this is no time to panic or abandon OSS.

    #1739031

    colwebhelp
    Member

    Password changes are a good idea. @theh2obaby – my password change went through without a glitch…

    If you used the same password elsewhere, give yourself a dope-slap and go change it to something different and secure (can you google “password safe”?).

    Also, regarding the “silence” from WordPress.com – they are secure and patched. There is *nothing* else they can say. They were not negligent. There is no way to know if their SSL was compromised, and even if it was, see my previous post.

    #1739038

    theh2obaby
    Member

    colwebhelp ~ Thanks for the feedback.

    #1739058

    davidderrick
    Member

    @seanmwooten “The silence on this issue from the WordPress.com staff is disappointing.”

    I’m afraid that’s very typical. Staff often do not even bother to read the thread on which they are commenting (when they come in at all). But here, as you say, nothing.

    #1739059

    timethief
    Member

    @davidderrick
    markjaquith is Staff. … a provider of freelance WordPress services, and a lead developer of the WordPress personal publishing platform.

    #1739060

    davidderrick
    Member

    Ok, then it partly take that back … markjaquith gave an excellent reply.

    #1739061

    davidderrick
    Member

    Ok, then I partly take that back … markjaquith gave an excellent reply.

    #1739063

    timethief
    Member

    @davidderrick
    Indeed he did. :)

    #1739071

    seanmwooten
    Member

    This thread has been seriously derailed. I don’t post here often so I don’t want to get off on the wrong foot with anyone, but the majority of these posts have nothing to do with the issue at hand and are serving as a distraction.

    Not to insult markjaquith or diminish his role in the WordPress community, but he is not WordPress.com staff. In relation to WordPress.com, since this is the “.com” forum as we were reminded from the beginning, the WordPress software itself is not the issue. The SSL certificate is the issue and it needs to be replaced.

    This is an issue for the WordPress.com staff who operate the servers, and those are the people we should be hearing from. The staff at Google, Yahoo, Facebook, and Tumblr have all issued statements concerning how this vulnerability affects their users and if it is safe to reset user passwords. Someone from WordPress.com needs to issue a similar statement.

    colwebhelp: This is good information, but I will not feel secure until WordPress.com is issued a new SSL certificate. If it is revealed that the locks on my front door are defective, the fact that no one has yet broken into my house, or that the police regularly patrol my neighborhood, isn’t an answer to the problem. The locks need to be replaced.

    #1739074

    timethief
    Member

    @seanmwooten
    I beg your pardon for using the “Staff” word when referring to markjaquith.

The topic ‘Heart bleed bug: Is WP compromised?’ is closed to new replies.