Printrbot Talk Forum

[jeromedayton]

Site administrator-

I checked this site against , a site that checks for Heartbleed vulnerability. This is what I got:

Unable to get HTTP headers for www.printrbottalk.com
Site: www.printrbottalk.com
Server software: Not reported
Was vulnerable: Possibly (might use OpenSSL, but we can't tell)
SSL Certificate: Unable to extract SSL information.
Does https://www.printrbottalk.com work for you? This tool is only for HTTPS sites.


So what's the status?

[jeromedayton]

okay, a little more information. I see that doesn't work so this means that our password setting and usage is all in clear text. Can you fix the website so that 1) you have a ssl certificate and 2) that all password entry and changing is done via https?

I hate having ANY of my password activity being in the clear.

Thanks

[plexus]

Unfortunately this will likely not happen. if you are concerned about your personal info and password you should consider putting as minimal amount of personal info as possible in the registration info and use a unique password for this forum that you do not use elsewhere. thanks for looking into this.

We are hosted by Dreamhost. here is their notice about Heartbleed:

DreamHost and Heartbleed – Notes on OpenSSL Vulnerability
Posted (April 9th, 2014 at 3:22 pm PST) by Brett
This vulnerability only affects domains which use secure hosting / SSL.
- If you purchased a secure certificate from us, you’re safe! There is nothing you need to do.
- If you generated keys with us but purchased the certificate from another provider, you will have to check with them to see if you need new ones. If you do, you will have to get the new certificate through them and then we’ll be happy to provide you with new keys!
- If you’ve purchased a certificate from us and are now using it with another provider, you will need to ensure that other provider was not affected by this vulnerability. If they were, our technical support team will be happy to issue you a new certificate and keys!

As soon as we learned of the “Heartbleed” OpenSSL vulnerability, we began to patch any and all systems that it may have affected. Fortunately this was a very small subset of our systems and was mostly isolated to a small group of mail machines. As of early yesterday, all of our systems are patched. As a preventative measure, we are also re-keying the certificates on any systems with that bug. We have no reason to believe that any of those machines have been compromised, but in the interest of proactive security, we feel that changing SSL certificates is the best option.

DreamHost.com was not vulnerable, but the machines that redirected traffic to our actual site were. This was corrected quickly and those machines will also have their certificates re-keyed.

We can confidently say that our shared servers, VPS guests, and dedicated machines are NOT vulnerable to this issue because they run Debian “Lenny” and/or “Squeeze”. The most common version of OpenSSL on our network is 0.9.8o-4squeeze14, and the “HeartBleed” vulnerability in OpenSSL’s heartbeat module exists in versions 1.0.1 and 1.0.2-beta.

If you have any questions or concerns, please don’t hesitate to contact our support team.

UPDATE: April 10, 2014, 11:08 PM PDT: Please note, that earlier today we re-issued our email certificates. To resolve any exception or error when it shows up regarding mismatch, you can try accepting the certificate. If that doesn’t help, you will need to remove your email address from your email client then re-add it and accept the security certificate/exceptions and server identities during that process.

[jeromedayton]

[RetireeJay]

Look at the URL for this site: it starts with http, not https. So that means anything on this site is public knowledge.

Like Plexus said, use a unique password for this site, and be sparing about what information you share.

[plexus]

I took a look at some other forums I use. They are all much much bigger than this forum in terms of members and have been around a lot longer. none of them use SSL. phpBB is fragile and it doesn't take much to take the site down. I'd rather not mess with this and risk the forum being taken down and lag time to try and get it back up. SSL is simply not a forum best practice. Again, thanks for the concern and bringing this issue up.

[evanalmighty]

Most non e-commerce sites, besides big ones like google and yahoo, don't use SSL. And just because the lack of SSL allows someone to sniff data being sent, it doesn't mean the data is in plain text. Imagine yourself listening in on a phone call and all your could hear is static noises. Lets say my password for this forum is password, but it's stored in the forum database as something like $H$7rssbSMgLmkpWoRKZMdk6ERZ4Fhrkq1. Even if Plexus pulls up the database and look at everyone's passwords, he can't do anything with them anyway unless he can un-hash the data. SSL is like the red phone at the white house where you can't tap the line and listen in. It's pretty useless here on a forum because everything you say ends up being public for everyone to read anyway. Sure there are instances where your password is being sent between your ISP and the forum's web server, but 99% of all other data transmissions between you and this website is all public info. When hackers want to get your private info, they don't sniff the data packets, they go straight to the database where everything is already stored. Then they can take their time and decrypt the passwords hashes. No amount of SSL is going to protect against that. They only reason they try to sniff data on e-commerce sites because they know that a majority of info being sent between users and the servers are sensitive and usable data. They can profit off of banking info and credit cards. My rant about SSL and how printrbot support tend to suck... not so profitable.

[thawkins]

[jeromedayton]

Well it looks like I overreacted.

First a little background.

I've been a software architect for both large commercial enterprise and Department of Defense (DOD) applications. On the former we had to guard sensitive corporate information and in the latter classified information. I was frequently responsible for designing the security solutions which were particularly onerous for the DOD. Thus my security paranoia.

The frameworks I used always readily support encrypted and non-encrypted traffic and because of the extra overhead of encryption (cpu resources and lag time), we would frequently within an application switch between the two depending on if the information was sensitive or not.

I also built several forums using forum application software that readily supported encrypted sign-ins and profile maintenance while everything else was done non-encrypted.

So I had blithely assumed that industry best practices for forums was to encrypt password entry and profile maintenance. Imagine my shock when I've come do discover that is not the case. (In particular I noticed that http://www.printrbot.com uses encryption while help.printrbot.com does not). While I routinely check for https when entering credit card information, I have not been doing so when entering passwords, silly me.

Luckily because of my practice of using a unique password for every website, I'm in no immediate danger. However I have to be a lot more circumspect about what personal information I put into non-secure sites.

And I had also falsely assumed that Plexus was using forum application software provided by dreamhost and come to find out that he built and maintains the website in phpBB and that it is fairly brittle. So to expect someone who is largely unpaid to fix this is unreasonable.

However I do think that all existing users should be warned that their personal information is not secure. And I think that that new users should also be similarly warned when creating their account.

I also want to thank Plexus for his continuing efforts to keep this forum running.

[RetireeJay]

[jeromedayton]

[thawkins]

[evanalmighty]

I'm not going to debate SSL since you seem to be on top of what it is and what it isn't. I'm just saying it's like you're saying you won't take your kids to the park if the park doesn't have a metal detector with bomb snuffing dogs roaming the fields.

[jeromedayton]