I’ll need to put the LGF web server into maintenance mode for a short time, probably within the next 3 hours, in order to complete some work cleaning up the mess created by this nasty Heartbleed apocalypse you might have heard about. The good news is that our servers are completely patched against the bug, and our SSL certificate has been revoked, reissued and reinstalled. When all the necessary back-end stuff is complete, I’ll be asking all registered LGF users to change their passwords ASAP, but hold off until I give the signal.
It’s a really interesting mental exercise to exhaustively go though a server and identify everything that might be a security problem if it’s in the server’s memory. That’s what makes Heartbleed insidious — it essentially gives an attacker access to the server’s entire memory (in 64K chunks, with repeated requests), and when encrypted data is in RAM it’s in decrypted form. Basically, the exploit based on this OpenSSL bug makes everything that should be private on a server easily accessible if it’s ever read into RAM, and it leaves not a single trace of its filthy work.
In the meantime, here’s an open thread as I get things set up so this maintenance time can be as short as possible.
Here's where you can check to see if a website you visit is vulnerable to the “Heartbleed” bug: http://t.co/5ulKoSZsPW
We went into and out of maintenance mode so fast you may not have noticed it, but LGF’s servers are now fully protected from the Heartbleed monster. Time to change your LGF passwords, folks.
And if you’re not already using 1Password, you really should look into it. It makes password management 271% less stressful.