Heartbleed


If you have not yet heard about the Internet bug in OpenSSL called "Heartbleed", you need to google that word ASAP and learn about this latest online security threat to hit the news.
gz3827
I emailed Audiogon support yesterday and asked them about this issue. When I saw this thread I sent them a link to it. Let's see how they respond.
Here is the response from Audiogon Support. Sounds like they have taken some steps but are still working on it.

At this time:
1. We are patching all of our encrypted resources right now
2. We have already taken steps to prevent exploitation of this vulnerability
3. Our platform providers, Heroku and Amazon, have already taken steps to prevent exploitation of this vulnerability
4. Users can and should change their passwords as an additional precaution
Thank you for being a valued member of the Audiogon community. Please do not hesitate to contact us if there is anything else we can assist you with.
I read somewhere that it only affects Linux and Unix operating systems and that the criminal has to be "looking" at your transaction live (while it happens), in order to get your info.

I feel pretty safe. For now.

All the best,
Nonoise
I read somewhere that it only affects Linux and Unix operating systems ....
Although there may be some minor exceptions, I believe that is essentially true, if "Unix" is considered to include Unix-like operating systems such as the various versions of BSD.

To be sure it's clear, though, this refers to the OS of the web server used by the site, not to the OS used by the individual who is communicating with that server. The OS on an individual's computer makes no difference.

And my understanding is that the majority of the world's web servers run Linux, although many of them do not handle encrypted traffic, and many of those that do aren't using the versions of OpenSSL which have the vulnerability.

Also, yesterday Audiogon posted the following in the Hub section:
Audiogon.com is no longer vulnerable to the Heartbleed bug. All of our platform providers have taken steps to prevent exploitation of the Heartbleed vulnerability by updating OpenSSL. We have restarted all resources using OpenSSL. If you have not already, we recommend you change your password.
Best regards,
-- Al
I am not totally familiar with the details of OpenSSL implementations out there today, but OpenSSL is an Open Source technology, meaning it is openly developed by a consortium of various developers and companies. Open source works well to help establish open technical standards that are not proprietary and can be adapted by many from many sources. Open Source and security are really not two words that inherently be used together due to the inherent nature of open source being "open" as opposed to "secure".

However, most commercial applications of Open SOurce technologies are done using versions of the Open SOurce Technology that is fully supported for its use by a real business/company with a skin in the game to make sure the product works as intended and is successful. I suspect that is the case with Open SSL as well, and I would expect those versions would inherently be more secure than their pure open source relatives.

However, open source implementations tend to be free, though less reliable and secure, so there is incentive for some sites/applications/companies looking to go on the cheap to use them, even if doing that with a product related to security might be as effective as hiring an 85 year old grandma as your security guard.

So it is a concern but I would expect most any reputable company to use a more robust implementation and not the free open source one.
More to discover