Is/was this forum vulnerable to Heartbleed?

Discussions about the forum. How to expand and enhance it.

Is/was this forum vulnerable to Heartbleed?

Postby jeromedayton » 2014-Apr-Fri-12-Apr

Site administrator-

I checked this site against https://lastpass.com/heartbleed, a site that checks for Heartbleed vulnerability. This is what I got:

Unable to get HTTP headers for www.printrbottalk.com
Site: www.printrbottalk.com
Server software: Not reported
Was vulnerable: Possibly (might use OpenSSL, but we can't tell)
SSL Certificate: Unable to extract SSL information.
Does https://www.printrbottalk.com work for you? This tool is only for HTTPS sites.


So what's the status?
  • 0

Jerome
Retired Software Developer
Printrbot Simple operational since Xmas 2013
Printrbot Jr v 2 with alu extruder March 2014
User avatar
jeromedayton
Waiting for extruder temp...
 
Posts: 82
Joined: 2014-Jan-Fri-15-Jan
Reputation: 2

Is/was this forum vulnerable to Heartbleed?

Sponsor

Sponsor
 

Re: Is/was this forum vulnerable to Heartbleed?

Postby jeromedayton » 2014-Apr-Fri-13-Apr

okay, a little more information. I see that https://www.printrbottalk.com doesn't work so this means that our password setting and usage is all in clear text. Can you fix the website so that 1) you have a ssl certificate and 2) that all password entry and changing is done via https?

I hate having ANY of my password activity being in the clear.

Thanks
  • 0

Jerome
Retired Software Developer
Printrbot Simple operational since Xmas 2013
Printrbot Jr v 2 with alu extruder March 2014
User avatar
jeromedayton
Waiting for extruder temp...
 
Posts: 82
Joined: 2014-Jan-Fri-15-Jan
Reputation: 2

Re: Is/was this forum vulnerable to Heartbleed?

Postby plexus » 2014-Apr-Fri-13-Apr

Unfortunately this will likely not happen. if you are concerned about your personal info and password you should consider putting as minimal amount of personal info as possible in the registration info and use a unique password for this forum that you do not use elsewhere. thanks for looking into this.

We are hosted by Dreamhost. here is their notice about Heartbleed:

DreamHost and Heartbleed – Notes on OpenSSL Vulnerability
Posted (April 9th, 2014 at 3:22 pm PST) by Brett
This vulnerability only affects domains which use secure hosting / SSL.
- If you purchased a secure certificate from us, you’re safe! There is nothing you need to do.
- If you generated keys with us but purchased the certificate from another provider, you will have to check with them to see if you need new ones. If you do, you will have to get the new certificate through them and then we’ll be happy to provide you with new keys!
- If you’ve purchased a certificate from us and are now using it with another provider, you will need to ensure that other provider was not affected by this vulnerability. If they were, our technical support team will be happy to issue you a new certificate and keys!

As soon as we learned of the “Heartbleed” OpenSSL vulnerability, we began to patch any and all systems that it may have affected. Fortunately this was a very small subset of our systems and was mostly isolated to a small group of mail machines. As of early yesterday, all of our systems are patched. As a preventative measure, we are also re-keying the certificates on any systems with that bug. We have no reason to believe that any of those machines have been compromised, but in the interest of proactive security, we feel that changing SSL certificates is the best option.

DreamHost.com was not vulnerable, but the machines that redirected traffic to our actual site were. This was corrected quickly and those machines will also have their certificates re-keyed.

We can confidently say that our shared servers, VPS guests, and dedicated machines are NOT vulnerable to this issue because they run Debian “Lenny” and/or “Squeeze”. The most common version of OpenSSL on our network is 0.9.8o-4squeeze14, and the “HeartBleed” vulnerability in OpenSSL’s heartbeat module exists in versions 1.0.1 and 1.0.2-beta.

If you have any questions or concerns, please don’t hesitate to contact our support team.

UPDATE: April 10, 2014, 11:08 PM PDT: Please note, that earlier today we re-issued our email certificates. To resolve any exception or error when it shows up regarding mismatch, you can try accepting the certificate. If that doesn’t help, you will need to remove your email address from your email client then re-add it and accept the security certificate/exceptions and server identities during that process.
  • 0

User avatar
plexus
Site Admin
 
Posts: 2110
Joined: 2011-Dec-Mon-16-Dec
Location: Toronto, Canada
Reputation: 94

Re: Is/was this forum vulnerable to Heartbleed?

Postby jeromedayton » 2014-Apr-Fri-14-Apr

plexus wrote:Unfortunately this will likely not happen. if you are concerned about your personal info and password you should consider putting as minimal amount of personal info as possible in the registration info and use a unique password for this forum that you do not use elsewhere. thanks for looking into this.


I don't mean to be an alarmist here (well maybe I do) but in this day in age, it's almost unconscionable that any website would manage passwords in the clear because the very purpose of passwords is to prevent someone from impersonating you and doing bad things in your name, (like posting profanity as me and getting me kicked off this website, let alone getting enough information to steal my identity).

I long ago adopted the habit of having a unique password for each website as not all website's are diligent about guarding where and how they store them and thus a breach on one website was a breach across multiple websites. But I assure you not everyone is as diligent about this as I am so there are probably a lot of forum users at risk right now!

I'm sorry if I'm paranoid but I worked on DOD stuff were security was paramount and this lack of encryption makes me quake in my boots. I've just seen what determined hackers can do. I can guarantee that hackers will target ANY website were passwords are used in the clear to see what they can harvest!!!!! I'm not the only one in jeopardy here.

Can you pressure dreamhost to change their password management?

Otherwise I'll have to seriously consider whether I can continue to post to this wonderful resource.
  • 0

Jerome
Retired Software Developer
Printrbot Simple operational since Xmas 2013
Printrbot Jr v 2 with alu extruder March 2014
User avatar
jeromedayton
Waiting for extruder temp...
 
Posts: 82
Joined: 2014-Jan-Fri-15-Jan
Reputation: 2

Re: Is/was this forum vulnerable to Heartbleed?

Postby RetireeJay » 2014-Apr-Fri-16-Apr

Look at the URL for this site: it starts with http, not https. So that means anything on this site is public knowledge.

Like Plexus said, use a unique password for this site, and be sparing about what information you share.
  • 0

Printrbot Plus operational January 2013
Brass threaded rods (5/16" X 18) & nuts for Z axis
GT2 belts & pulleys
Cable chain to reduce probability of fatigue failure in wires
E3D V5 Hot End, 0.4mm nozzle, also 0.8 and 0.25 in use occasionally
PB fan mount + 40mm fan -- using printed mount adapter, not the E3D supplied fan
Injection molded extruder gears
Optical Z "endstop" (custom designed and built)
Have used many pounds of T-Glase filament. Now also doing some work with Ninjaflex SemiFlex
Print on glass with Scotch Craft Stick or other glue stick
User avatar
RetireeJay
My next printer is...
 
Posts: 4567
Joined: 2013-Jan-Wed-13-Jan
Location: Greenville, SC
Reputation: 474

Re: Is/was this forum vulnerable to Heartbleed?

Postby plexus » 2014-Apr-Fri-16-Apr

I took a look at some other forums I use. They are all much much bigger than this forum in terms of members and have been around a lot longer. none of them use SSL. phpBB is fragile and it doesn't take much to take the site down. I'd rather not mess with this and risk the forum being taken down and lag time to try and get it back up. SSL is simply not a forum best practice. Again, thanks for the concern and bringing this issue up.
  • 0

User avatar
plexus
Site Admin
 
Posts: 2110
Joined: 2011-Dec-Mon-16-Dec
Location: Toronto, Canada
Reputation: 94

Re: Is/was this forum vulnerable to Heartbleed?

Postby evanalmighty » 2014-Apr-Fri-17-Apr

Most non e-commerce sites, besides big ones like google and yahoo, don't use SSL. And just because the lack of SSL allows someone to sniff data being sent, it doesn't mean the data is in plain text. Imagine yourself listening in on a phone call and all your could hear is static noises. Lets say my password for this forum is password, but it's stored in the forum database as something like $H$7rssbSMgLmkpWoRKZMdk6ERZ4Fhrkq1. Even if Plexus pulls up the database and look at everyone's passwords, he can't do anything with them anyway unless he can un-hash the data. SSL is like the red phone at the white house where you can't tap the line and listen in. It's pretty useless here on a forum because everything you say ends up being public for everyone to read anyway. Sure there are instances where your password is being sent between your ISP and the forum's web server, but 99% of all other data transmissions between you and this website is all public info. When hackers want to get your private info, they don't sniff the data packets, they go straight to the database where everything is already stored. Then they can take their time and decrypt the passwords hashes. No amount of SSL is going to protect against that. They only reason they try to sniff data on e-commerce sites because they know that a majority of info being sent between users and the servers are sensitive and usable data. They can profit off of banking info and credit cards. My rant about SSL and how printrbot support tend to suck... not so profitable.
  • 1

User avatar
evanalmighty
Layer 650 of 1234
 
Posts: 689
Joined: 2014-Feb-Mon-15-Feb
Location: Irvine, CA
Reputation: 45

Re: Is/was this forum vulnerable to Heartbleed?

Postby thawkins » 2014-Apr-Fri-18-Apr

jeromedayton wrote:
plexus wrote:Unfortunately this will likely not happen. if you are concerned about your personal info and password you should consider putting as minimal amount of personal info as possible in the registration info and use a unique password for this forum that you do not use elsewhere. thanks for looking into this.


I don't mean to be an alarmist here (well maybe I do) but in this day in age, it's almost unconscionable that any website would manage passwords in the clear because the very purpose of passwords is to prevent someone from impersonating you and doing bad things in your name, (like posting profanity as me and getting me kicked off this website, let alone getting enough information to steal my identity).

I long ago adopted the habit of having a unique password for each website as not all website's are diligent about guarding where and how they store them and thus a breach on one website was a breach across multiple websites. But I assure you not everyone is as diligent about this as I am so there are probably a lot of forum users at risk right now!

I'm sorry if I'm paranoid but I worked on DOD stuff were security was paramount and this lack of encryption makes me quake in my boots. I've just seen what determined hackers can do. I can guarantee that hackers will target ANY website were passwords are used in the clear to see what they can harvest!!!!! I'm not the only one in jeopardy here.

Can you pressure dreamhost to change their password management?

Otherwise I'll have to seriously consider whether I can continue to post to this wonderful resource.


The amount of private data held, does not warrent using ssl, almost everything on the site can be seen by a logged out user anyway. The worse that can happen is that somebody will get your password, and all they can really do is post as you. There are no financial functions on this site.

SSL mainly protects against man in the middle attacks, an attacker would have to be between you and the site.

What is far more of concern is somebody breaking into the server and accessing the database, using xsl or sql injection, and having SSL or not is not going to make any difference at all on that.

SSL certificates cost money and time to install and manage, this is a free resource that probaly barely makes enough on its adsense to cover its hosting costs, and is provided by plexus because he is part of a comunity, it is not supported by printrbot.
  • 0

Jonbot+
225mm x 200mm - Heated Bed
RAMPS 1.4 running Marlin 1.1.0
Full Graphic display.
-------------------------------
Zen Toolworks CNC/3d printer
230mmx360mm bed
Dual j-head hotends.
Dual heated beds.
RAMPS 1.4 running Marlin 0.98
-------------------------------
Flashforge 3d Creator Pro
Dual Extruder
220x143x150mm
Mightyboard rev e, runnimg Sailfish 7.7r1234
-------------------------------
Photon, self designed printed printer.
User avatar
thawkins
Print winner 2nd
Print winner 2nd
 
Posts: 1636
Joined: 2013-Aug-Sun-10-Aug
Location: Manila, Philippines
Reputation: 171

Re: Is/was this forum vulnerable to Heartbleed?

Postby jeromedayton » 2014-Apr-Fri-19-Apr

Well it looks like I overreacted.

First a little background.

I've been a software architect for both large commercial enterprise and Department of Defense (DOD) applications. On the former we had to guard sensitive corporate information and in the latter classified information. I was frequently responsible for designing the security solutions which were particularly onerous for the DOD. Thus my security paranoia.

The frameworks I used always readily support encrypted and non-encrypted traffic and because of the extra overhead of encryption (cpu resources and lag time), we would frequently within an application switch between the two depending on if the information was sensitive or not.

I also built several forums using forum application software that readily supported encrypted sign-ins and profile maintenance while everything else was done non-encrypted.

So I had blithely assumed that industry best practices for forums was to encrypt password entry and profile maintenance. Imagine my shock when I've come do discover that is not the case. (In particular I noticed that http://www.printrbot.com uses encryption while help.printrbot.com does not). While I routinely check for https when entering credit card information, I have not been doing so when entering passwords, silly me.

Luckily because of my practice of using a unique password for every website, I'm in no immediate danger. However I have to be a lot more circumspect about what personal information I put into non-secure sites.

And I had also falsely assumed that Plexus was using forum application software provided by dreamhost and come to find out that he built and maintains the website in phpBB and that it is fairly brittle. So to expect someone who is largely unpaid to fix this is unreasonable.

However I do think that all existing users should be warned that their personal information is not secure. And I think that that new users should also be similarly warned when creating their account.

I also want to thank Plexus for his continuing efforts to keep this forum running.
  • 0

Last edited by jeromedayton on 2014-Apr-Fri-19-Apr, edited 2 times in total.
Jerome
Retired Software Developer
Printrbot Simple operational since Xmas 2013
Printrbot Jr v 2 with alu extruder March 2014
User avatar
jeromedayton
Waiting for extruder temp...
 
Posts: 82
Joined: 2014-Jan-Fri-15-Jan
Reputation: 2

Re: Is/was this forum vulnerable to Heartbleed?

Postby RetireeJay » 2014-Apr-Fri-19-Apr

jeromedayton wrote:I also want to thank Plexus for his continuing efforts to keep this forum running.


Amen to that! :D
  • 0

Printrbot Plus operational January 2013
Brass threaded rods (5/16" X 18) & nuts for Z axis
GT2 belts & pulleys
Cable chain to reduce probability of fatigue failure in wires
E3D V5 Hot End, 0.4mm nozzle, also 0.8 and 0.25 in use occasionally
PB fan mount + 40mm fan -- using printed mount adapter, not the E3D supplied fan
Injection molded extruder gears
Optical Z "endstop" (custom designed and built)
Have used many pounds of T-Glase filament. Now also doing some work with Ninjaflex SemiFlex
Print on glass with Scotch Craft Stick or other glue stick
User avatar
RetireeJay
My next printer is...
 
Posts: 4567
Joined: 2013-Jan-Wed-13-Jan
Location: Greenville, SC
Reputation: 474

Re: Is/was this forum vulnerable to Heartbleed?

Postby jeromedayton » 2014-Apr-Sat-06-Apr

First my conclusions from above have not changed. However there are a couple of statements I need to challenge as I did application security for a living.

evanalmighty wrote:Most non e-commerce sites, besides big ones like google and yahoo, don't use SSL. And just because the lack of SSL allows someone to sniff data being sent, it doesn't mean the data is in plain text. Imagine yourself listening in on a phone call and all your could hear is static noises. Lets say my password for this forum is password, but it's stored in the forum database as something like $H$7rssbSMgLmkpWoRKZMdk6ERZ4Fhrkq1.


Regardless of whether the password is encrypted by the client before it is sent to the server, what's important IS WHAT IS PRESENTED TO THE SERVER. So if my password is "password" but is encrypted to "$H$7rssbSMgLmkpWoRKZMdk6ERZ4Fhrkq1" by the client (perhaps by jscript) before it is sent to the server, I NOW HAVE THE KEY TO GET INTO THE SERVER. All I have to do in the future is to use the username (which I have also sniffed), and this "encrypted" password to get into the server. When I say "clear text" I mean unencrypted (non ssl) traffic.

thawkins wrote:SSL mainly protects against man in the middle attacks, an attacker would have to be between you and the site.


Not quite true. SSL's main job is to encrypt traffic so packet sniffers can't decipher that traffic. Part of setting up an "encrypted" connection is making sure no one is defeating this setup by doing a man in the middle attack. When you ask for a HTTPS connection, you are going through a multi step handshake to establish the connection. First you negotiate over how strong the encryption should be (how many bytes the key will be). Then the client encrypts with the Server's public key (provided by the server's SSL certificate) both the key it wants to use for the connection/session AND a challenge. The Server then decrypts that connection/session key using it's private key (also provided by the Server's SSL certificate, and if the security officer has done his job, only available on the Server), encrypts the challenge with the connection/session key, and returns the challenge. The client then checks the returned challenge (encrypted with the connection/session key) and if it is okay, then proceeds to encrypt all communication with the Server with the connection/session key. The Server then does the same. A man in the middle who is attempting to act as the server and provide a false secure connection would first be defeated by his inability to decipher the connection/session key (encrypted with the public key) and as an extra precaution, his inability to properly return the challenge. The people who designed SSL really thought this through.

I've worked on systems where we not only routinely used ssl, but also used short time to live "credential" cookies. Typically in a web based system, a "version" of your credentials are stored as a cookie on the client so you don't have to be re-authenticated on each roundtrip. To guard against the possibility of someone hacking the client and getting these cookies, the cookies were only good for about 5 minutes. And on each roundtrip, we would return a new security cookie. If someone managed later to get the security cookie by hacking a client, it would only be good for about 5 minutes, hopefully too late to do the hacker any good.

To say that I'm security paranoid would be an understatement. We were exposed to multi-million dollar liability if we failed to adequately guard client assets.
  • 0

Jerome
Retired Software Developer
Printrbot Simple operational since Xmas 2013
Printrbot Jr v 2 with alu extruder March 2014
User avatar
jeromedayton
Waiting for extruder temp...
 
Posts: 82
Joined: 2014-Jan-Fri-15-Jan
Reputation: 2

Re: Is/was this forum vulnerable to Heartbleed?

Postby thawkins » 2014-Apr-Sat-08-Apr

jeromedayton wrote:First my conclusions from above have not changed. However there are a couple of statements I need to challenge as I did application security for a living.

evanalmighty wrote:Most non e-commerce sites, besides big ones like google and yahoo, don't use SSL. And just because the lack of SSL allows someone to sniff data being sent, it doesn't mean the data is in plain text. Imagine yourself listening in on a phone call and all your could hear is static noises. Lets say my password for this forum is password, but it's stored in the forum database as something like $H$7rssbSMgLmkpWoRKZMdk6ERZ4Fhrkq1.


Regardless of whether the password is encrypted by the client before it is sent to the server, what's important IS WHAT IS PRESENTED TO THE SERVER. So if my password is "password" but is encrypted to "$H$7rssbSMgLmkpWoRKZMdk6ERZ4Fhrkq1" by the client (perhaps by jscript) before it is sent to the server, I NOW HAVE THE KEY TO GET INTO THE SERVER. All I have to do in the future is to use the username (which I have also sniffed), and this "encrypted" password to get into the server. When I say "clear text" I mean unencrypted (non ssl) traffic.

thawkins wrote:SSL mainly protects against man in the middle attacks, an attacker would have to be between you and the site.


Not quite true. SSL's main job is to encrypt traffic so packet sniffers can't decipher that traffic. Part of setting up an "encrypted" connection is making sure no one is defeating this setup by doing a man in the middle attack. When you ask for a HTTPS connection, you are going through a multi step handshake to establish the connection. First you negotiate over how strong the encryption should be (how many bytes the key will be). Then the client encrypts with the Server's public key (provided by the server's SSL certificate) both the key it wants to use for the connection/session AND a challenge. The Server then decrypts that connection/session key using it's private key (also provided by the Server's SSL certificate, and if the security officer has done his job, only available on the Server), encrypts the challenge with the connection/session key, and returns the challenge. The client then checks the returned challenge (encrypted with the connection/session key) and if it is okay, then proceeds to encrypt all communication with the Server with the connection/session key. The Server then does the same. A man in the middle who is attempting to act as the server and provide a false secure connection would first be defeated by his inability to decipher the connection/session key (encrypted with the public key) and as an extra precaution, his inability to properly return the challenge. The people who designed SSL really thought this through.

I've worked on systems where we not only routinely used ssl, but also used short time to live "credential" cookies. Typically in a web based system, a "version" of your credentials are stored as a cookie on the client so you don't have to be re-authenticated on each roundtrip. To guard against the possibility of someone hacking the client and getting these cookies, the cookies were only good for about 5 minutes. And on each roundtrip, we would return a new security cookie. If someone managed later to get the security cookie by hacking a client, it would only be good for about 5 minutes, hopefully too late to do the hacker any good.

To say that I'm security paranoid would be an understatement. We were exposed to multi-million dollar liability if we failed to adequately guard client assets.


I build ecommerce systems with multimillion dollar turnovers, we have ssl everywhere, intrusion detection, pci scanning, statefull packet inspection of every packet. We use every possible mechanism we can to protect our systems.

This is some of the orgs I have worked for. http://www.linkedin.com/in/timhawkins

But this is not an ecomm system, there is little more than lunch money envolved here, so ssl is overkill and not relevant.
  • 0

Jonbot+
225mm x 200mm - Heated Bed
RAMPS 1.4 running Marlin 1.1.0
Full Graphic display.
-------------------------------
Zen Toolworks CNC/3d printer
230mmx360mm bed
Dual j-head hotends.
Dual heated beds.
RAMPS 1.4 running Marlin 0.98
-------------------------------
Flashforge 3d Creator Pro
Dual Extruder
220x143x150mm
Mightyboard rev e, runnimg Sailfish 7.7r1234
-------------------------------
Photon, self designed printed printer.
User avatar
thawkins
Print winner 2nd
Print winner 2nd
 
Posts: 1636
Joined: 2013-Aug-Sun-10-Aug
Location: Manila, Philippines
Reputation: 171

Re: Is/was this forum vulnerable to Heartbleed?

Postby evanalmighty » 2014-Apr-Sat-09-Apr

I'm not going to debate SSL since you seem to be on top of what it is and what it isn't. I'm just saying it's like you're saying you won't take your kids to the park if the park doesn't have a metal detector with bomb snuffing dogs roaming the fields.
  • 0

User avatar
evanalmighty
Layer 650 of 1234
 
Posts: 689
Joined: 2014-Feb-Mon-15-Feb
Location: Irvine, CA
Reputation: 45

Re: Is/was this forum vulnerable to Heartbleed?

Postby jeromedayton » 2014-Apr-Sat-10-Apr

thawkins wrote:But this is not an ecomm system, there is little more than lunch money envolved here, so ssl is overkill and not relevant.

evanalmighty wrote:I'm not going to debate SSL since you seem to be on top of what it is and what it isn't. I'm just saying it's like you're saying you won't take your kids to the park if the park doesn't have a metal detector with bomb snuffing dogs roaming the fields.


Sorry guys that I didn't make it clear that I'm in violent agreement with you, that it's definitely not worth pursuing SSL for the printrbottalk forum. I thought I had said as much in this post.

jeromedayton wrote:Well it looks like I overreacted.
...
And I had also falsely assumed that Plexus was using forum application software provided by dreamhost and come to find out that he built and maintains the website in phpBB and that it is fairly brittle. So to expect someone who is largely unpaid to fix this is unreasonable.


I just wanted to correct some assertions that were made. It's just my penchant for being accurate.

I once had another software architect tell me that SSL was a one way only encryption because the public/private key only allowed the client to encrypt (using the public key). This kind of stuff just drives me crazy.
  • 0

Jerome
Retired Software Developer
Printrbot Simple operational since Xmas 2013
Printrbot Jr v 2 with alu extruder March 2014
User avatar
jeromedayton
Waiting for extruder temp...
 
Posts: 82
Joined: 2014-Jan-Fri-15-Jan
Reputation: 2


Return to Forum talk

Who is online

Users browsing this forum: No registered users and 1 guest