http://bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/?_php=true&_type=blogs&hp&_r=0
I'd assume in the next few days, one would have to wonder whether to fix all the passwords or not? I know we'll change our bank today.
I sure hope Logos is on top of this too. I'm going to keep my password until I hear.
Thanks for the info.
Changing passwords too quickly can present new problems. How can we trust all affected websites to fix this promptly? Certain .gov websites use OpenSSL and are notoriously lax on security. Bad day for privacy :-(
This is exactly the kind of thing that makes me wary about synching everything online, the way Logos does.
Can Logos put out an official announcement on this? Preferably SOON. We're talking a potential leak of personal data, CC data, "Bible stuff".
Tried removing my card and it is taking rather long. Something tells me they are working on it.
My recommendation, shut down the store and fix it, rather than trying to keep it open and patching at the same time. The inconvenience to customers is worth it.
Kudos to Logos!
But this bug affects everything. Internal LANs, leased servers, and who-knows-what. And we do not know the security exposure over the last 24 months.
I'm waiting for Logos to put out some official word for everyone's sake.
biblia, faithlife, vyrso, logos are all checking out to be ok.
The problem is much more complicated than that...
I just put the websites listed above, to see if they checked out on the heartbleed site. But your point on it affecting internal systems means more work.
Folks,
OpenSSL is pretty much a Linux-only product / library (along with some other Unix-like variants, which have little horizontal penetration in serving the internet). Linux-based web servers which leverage OpenSSL (most notably Apache and nginx) would be subject to this vulnerability. The primary Windows-based web server, IIS, would not be subject to this vulnerability.
It's a big deal, yes. Where I work, we're checking for where we might be impacted. But not every site on the web is subject to it, and exploitation is not trivial. The nytimes article is unhelpful in stating what's possible via the vulnerability but providing no detail about how it's possible or what has to happen to take advantage of the problem.
http://heartbleed.com/
Donnie
Donnie ... no offense but exactly how would an average user know that, without a note from the site? (Or your helpful advice?) And to be honest, I'm reluctant to click on heartbleed (though it's probably safe, right? Hasn't be hacked?).
The link I included was just the details on the vulnerability - more technical info on the issue than the nytimes article. For even more detail: http://coolthingoftheday.blogspot.co.uk/2014/04/heartbleed-in-eight-minutes-what-it-is.html .
I'm not saying it's not a big deal - it's a very big deal. It just seemed like everyone assumed that Logos was impacted by the vulnerability and were asking when they'd fix it (witness the thread title). Versus first finding it out if they were impacted and if they were then asking if they had already addressed the issue.
Sorry if I wasn't clear on that point.
Logos was not significantly affected by this. We do not use the vulnerable OpenSSL on our commerce web sites (where ordering, credit cards, etc. happen). We did use it on one site where we collect statistics (did you run the app, log into one of our web properties, etc.) but there's nothing particularly confidential here, and it does not involve credit cards or commerce.
We are having a new certificate issued (like almost every Internet site today!) for this server; the patch is already in place.
Logos was not significantly affected by this. We do not use the vulnerable OpenSSL on our commerce web sites (where ordering, credit cards, etc. happen). We did use it on one site where we collect statistics (did you run the app, log into one of our web properties, etc.) but there's nothing particularly confidential here, and it does not involve credit cards or commerce. We are having a new certificate issued (like almost every Internet site today!) for this server; the patch is already in place.
Thanks Bob. Great to hear this.
