[cc-devel] Heartbeat and CC

Discussion:

Matt Lee

2014-04-08 17:00:08 UTC

My timing is great -- take over all the machines, and now I have to
patch a bunch of them against the Heartbeat SSL vulnerability.

Luckily(?) many of them are on Debian Squeeze, which is too old to be
affected. I'll be reissuing the SSL certificate anyway, for the donate
and main websites.

Let me know if there's any SSL sites under creativecommons.org that
aren't working as they should and I'll get on it.

Best,

matt

Maarten Zeinstra

2014-04-08 21:14:50 UTC

Permalink

Hi Matt,

Fast pickup, good luck tracking them down. Did you test the vulnerability of creativecommons.org. I read about?http://filippo.io/Heartbleed/?which claims to be able to check ?vulnerability.

I had a discussion once with Dan about the services by Creative Commons, he had a list of all domains hosted under creativecommons.org. You should probably check that list if you haven't already.?

I tried going to https://search.creativecommons.org but got directed to https://api.creativecommons.org/ which had an expired certificate. Don?t know if that is related

Cheers,

Maarten
--?
Kennisland??|?www.kennisland.nl?|?t +31205756720?|?m +31643053919?| @mzeinstra

On 8 Apr 2014 at 19:00:19 , Matt Lee (mattl at creativecommons.org) wrote:

My timing is great -- take over all the machines, and now I have to
patch a bunch of them against the Heartbeat SSL vulnerability.

Luckily(?) many of them are on Debian Squeeze, which is too old to be
affected. I'll be reissuing the SSL certificate anyway, for the donate
and main websites.

Let me know if there's any SSL sites under creativecommons.org that
aren't working as they should and I'll get on it.

Best,

matt
_______________________________________________
cc-devel mailing list
cc-devel at lists.ibiblio.org
http://lists.ibiblio.org/mailman/listinfo/cc-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ibiblio.org/pipermail/cc-devel/attachments/20140408/5ab7116d/attachment.html>

Matt Lee

2014-04-08 21:20:42 UTC

Permalink

Post by Maarten Zeinstra
I tried going to https://search.creativecommons.org but got directed to
https://api.creativecommons.org/ which had an expired certificate. Don't
know if that is related

Noted.

creativecommons.org was vulnerable. I have updated openssl on it, and
other machines.

Next step is to fix the certificate.

I requested a new wildcart cert and its on its way.
I have a list of sites and I'll work on getting them fixed in the next
couple of days.

I also hope to have some sites that were previously not under HTTPS
available too.

Best,

matt

Matt Lee

2014-04-08 23:04:51 UTC

Permalink

creativecommons.org, donate.creativecommons.org and
api.creativecommons.org now all have the new certificate in place.

More sites will happen tomorrow. Please let me know if you notice any
weirdness with the above sites.

---
Matt Lee
Creative Commons

Mallory Knodel

2014-04-08 23:53:40 UTC

Permalink

Just to note that it's not enough to patch everything. You need to
regenerate all of your keys in case they were compromised before the bug
was reported.

-Mallory

Post by Matt Lee
creativecommons.org, donate.creativecommons.org and
api.creativecommons.org now all have the new certificate in place.
More sites will happen tomorrow. Please let me know if you notice any
weirdness with the above sites.
---
Matt Lee
Creative Commons
_______________________________________________
cc-devel mailing list
cc-devel at lists.ibiblio.org
http://lists.ibiblio.org/mailman/listinfo/cc-devel

--
Mallory Knodel
Communications & Network Development Manager :: mallory at apc.org
<http://mailto:mallory at apc.org>
Association for Progressive Communications :: apc.org <http://apc.org>
twitter. @malloryknodel <https://twitter.com/malloryknodel> :: xmpp.
malloryk at im.mayfirst.org
gpg fingerprint :: E3EB 63E0 65A3 B240 BCD9 B071 0C32 A271 BD3C C780
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ibiblio.org/pipermail/cc-devel/attachments/20140408/dcc81ff5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ibiblio.org/pipermail/cc-devel/attachments/20140408/dcc81ff5/attachment.sig>

Matt Lee

2014-04-09 01:39:47 UTC

Permalink

Post by Mallory Knodel
Just to note that it's not enough to patch everything. You need to
regenerate all of your keys in case they were compromised before the bug was
reported.

Hey Mallory,

Yep. They all have brand new SSL certificates in place, generated from new keys.