Concerning The Ultima Codex, Heartbleed, and SSL

heartbleed

First, let me just preface this with a suggestion: consider changing your password here at the site.

So I got the following email from my web host, Mediatemple, yesterday evening:

As a valued (mt) Media Temple customer, we would like to inform you of a vulnerability (CVE-2014-0160) in the OpenSSL software library that was very recently was discovered. This exploit can be used to eavesdrop on information that is usually protected by the SSL/TLS encryption protocol.

Due to the severity of this vulnerability, our Security Operations team and system engineers have **already** upgraded your server.

**Will there be any downtime?**
Unfortunately, yes. In order for the updated, patched version of OpenSSL to take effect, your server was restarted, which likely caused a few moments of downtime. It should be back up by the time you read this notice.

**What do I need to do?**
Nothing. We have proactively performed the upgrade of the OpenSSL package on your server.

So if you happened to be in IRC chat yesterday evening, either in #Moongate or the official #SotA channel, you may have noticed a brief outage of that service around 6:20 PM Central Time. That outage was as a result of the above-mentioned reboot, which was itself necessary to ensure that the server — and by extension the Codex and all other services associated therewith — were no longer affected by the Heartbleed bug.

For those of you who are unaware, the Heartbleed bug is a pretty serious hole in the security of a significant portion (over 66%) of the Internet:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

This is a big deal. But I’m happy to report that this site, and the server upon which it is hosted, is no longer vulnerable to it.

I am also in the process of obtaining a certificate for the site. There is actually an SSL certificate for the site already, meaning that it does support HTTPS connections. However, the certificate is the self-signed one issued for the Parallels Plesk control panel that is used to administer the server, and as such is not highly trusted; Google Chrome will throw up a warning screen, for example.

Still, the option to use HTTPS to view the site does exist, if you wish to avail yourself of it. And once I roll up a new certificate for it that has nothing to do with Parallels, that option will continue to be available.