Heart bleed bug: Is WP compromised?

  • Author
    Posts
  • #1739076

    seanmwooten
    Member

    Like I said, I don’t want to insult anyone, I just want this issue to be taken seriously by WordPress.com. The damage that someone could do with login credentials to our blogs could seriously affect our reputations, our SEO, and our content. My blog is out of date, but I use my WordPress.com account for other purposes and I really don’t want to see it compromised.

    I like a conspiracy theory as much as the next person, but a cursory Google News search will reveal this is a vulnerability that is sounding alarms all over the world.

    #1739078

    seanmwooten
    Member

    “The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.”

    https://www.schneier.com/blog/archives/2014/04/heartbleed.html

    #1739123

    seanmwooten
    Member

    We have answers, at least on Twitter…

    Matt Mullenweg:
    https://twitter.com/photomatt/statuses/454345166187667457

    WordPress.com:
    https://twitter.com/wordpressdotcom/statuses/454312202250756096

    Matt’s answer is the pivotal one – the SSL cert will be replaced, so don’t update your passwords until that happens.

    timethief: Can you mark this thread as “resolved”?

    #1739124

    timethief
    Member

    @seanmwooten
    Thank you so much for following through with this and posting the response from Matt here.

    P.S. davidderrick can mark the thread resolved – I can’t.

    #1739125

    davidderrick
    Member

    I’m confused. “Don’t update your passwords until it is resolved.” Or It HAS been resolved, now update your passwords.”

    Which is it?? It seems former, yes? So anyone who did update their passwords is compromised?

    #1739126

    seanmwooten
    Member

    davidderrick: This is a complicated situation. Because of the vulnerability, compromised websites could have had their SSL cert key stolen along with everything else that was in their servers’ memory, thereby allowing the attackers disguise themselves as the website in question and just steal any new credentials. That’s why simply patching this bug isn’t good enough – it doesn’t fix the compromised SSL cert. The website has to get a new one and revoke the old one before it is fully safe to update your password.

    It sounds like a lot of work for an attacker, but they have had two years to exploit this bug – that’s why webmasters and server admins around the world are taking this situation so seriously.

    #1739127

    seanmwooten
    Member

    If you updated your password, you’re probably okay – but that can’t be guaranteed with 100% certainty. If the idea of your account being compromised keeps you up at night, then just change your password again after the SSL cert is replaced.

    #1739128

    mbnelsen
    Member

    I tried to change my password and got the following message: Unauthorized password change request

    Tried three times. What’s up?

    #1739129

    There seems to be a lot of confusion. Here’s a recap of what I understand so far:

    A — The SSL libraries need to be patched to prevent the certificate key from being stolen in the future. THEN, a new SSL certificate has to be obtained, since its key may have been stolen in the past.

    B — Until the SSL certificate is replaced, any new passwords are in the same danger of being stolen as the old password.

    C — It’s hard to tell if it’s safe to reset passwords yet, because yesterday morning WordPressDotCom tweeted that the exploit was “addressed” (https://twitter.com/wordpressdotcom/statuses/454312202250756096), yet 12 hours later, when asked if it was safe to reset passwords yet, Matt Mullenweg replied “soon.”

    D — This site-checking tool (www.networking4all.com/en/support/tools/site+check/) lists WordPress.com’s certificate as having been issued four months ago.

    If all of this information is correct, then the best possible precaution is to reset your password (again, if necessary) at some unknown time in the future, after the new SSL certificate is in place.

    (The point above about using the same username/pw combo on multiple sites is well taken; if your WP credentials are also used anywhere else, you may want to make them all unique NOW, so that even if your WP credentials are stolen, they can’t be used to also hack your other accounts).

    I’m sure that the WordPress.com staff are working on this and that it won’t be long. However, this issue is not resolved in my mind until there is an unambiguous message, from someone with the word “staff” next to their WordPress.com profile name, not only that the patch has been performed but also that the certificate has been replaced.

    WordPress.com doesn’t seem to have any trouble contacting me when my registration fees come due; I don’t doubt that they will find a widely distributed, easily accessible, unambiguous way to notify me when they’re ready for me to change my password.

    #1739130

    ruthl
    Member

    Surprised there is nothing about Heartbleed on the news page, seeing as it is all over the Internet. This security breach is massive. And still no information posted on WordPress.com from an official WordPress techy.

    Most important question: can we now make a password change without compromising our new password?

    #1739132

    seanmwooten
    Member

    ruthl: I would wait until the WordPress.com SSL certificate is replaced before resetting your password.

    #1739133

    davidderrick
    Member

    Why is it taking so long to replace the SSL cert? Why are WP as usual so casual about communicating?

    #1739135

    apfwebs
    Member

    mylenedipenta: Yep, exactly what I understand. Unfortunately, I saw a report of Matt’s Twitter post and “jumped the gun” on a password change too early. (Dang!) seanmwooten: spot on.

    My poor brain hurts from the challenge of creativity in trying to think up memorable passwords for the many sites we use. (Dang!) I anxiously await news today of word from Matt. I’ve been using the lastpass checker to verify…

    #1739138

    a6861
    Member

    So should we change our WordPress passwords or not?
    If yes, when is the right time to do it? (how can we know when WordPress replace their SSL cert?)

    Some official announcement from the WordPress staff on this issue would be helpful.
    It`s difficult for us to try to keep guessing.

    #1739142

    hurdingkatz
    Member

    What strikes me strange about communication on this issue is that to hear from WordPress (among others), I’d have to go to Twitter.

    Why should I have to go to Twitter (or maybe Facebook). Don’t web-based services like WordPress have their own website or blog or something via which they can communicate with their users? (I know where they can get a blog if they need one.)

    I’ve never heard of Sean Wooten before (no offence intended), so if I happened to go to Twitter, unless I was searching hash tags, I’d never know what he was saying on this subject anyhow, no matter how authoritative he is. Personally, I don’t make a habit of following corporate tweets (most are promotional time-wasters), but I do check the websites of the services I use.

    Please, WordPress (and others), you have a primary means of communication (please us it) and a built-in audience (that knows how to reach you). The other stuff services are secondary and should only be relied upon to bring us to you.

    #1739143

    timethief
    Member

    We have answers, at least on Twitter…

    Matt Mullenweg:
    https://twitter.com/photomatt/statuses/454345166187667457

    WordPress.com:
    https://twitter.com/wordpressdotcom/statuses/454312202250756096

    Matt’s answer is the pivotal one – the SSL cert will be replaced, so don’t update your passwords until that happens.

    #1739144

    seanmwooten
    Member

    hurdingkatz: No offence taken. I’m not an expert on these matters or any other related to WordPress, and I haven’t claimed to be here or anywhere else. I’ve used WordPress for many years, and I use it to a limited extent professionally. I’m posting here under my personal account as a WordPress.com user, nothing more.

    The tweets cited in this thread are from Matt Mullenweg, co-founder of WordPress and founder/CEO of Automattic (WordPress.com’s parent company) and the official WordPress.com Twitter account. Both of these accounts have been verified as authentic by Twitter. The information I’ve posted about Heartbleed is from Bruce Schneier, a world-renowned cryptographer, computer security expert, and privacy specialist.

    #1739146

    davidderrick
    Member

    Some people already did update their passwords, which makes it concerning that it is taking so long to update the SSL. With the biggest threat to the security of the Internet ever, what do we hear from WP at wp.com? Nothing. By email? Nothing. On a tweet, one grudging word, under pressure: “Soon”.

    #1739149

    Honestly, I have never had anything to grumble about regarding WordPress.com before now, but their official silence on this issue really is deafening. Is there anybody out there? Even a simple message via the WP.com blog that says, “we’re working on it,” would be nice.

    #1739150

    isikyus
    Member

    You can count me as another person frustrated by this.
    I’m half-considering switching to my self-hosted blog until the SSL certificate is sorted out.

    I realise that CA’s are overworked at the moment, and it might not happen overnight; but it would be good to at least have some feedback on how much longer we have to wait.

The topic ‘Heart bleed bug: Is WP compromised?’ is closed to new replies.