WSA Identity Shield vs Heartbleed.

Discussion in 'Prevx Releases' started by Esse, Apr 16, 2014.

Thread Status:
Not open for further replies.
  1. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Hi all!
    Like the title say, were/are users of WSA protected from this?

    /E
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    No software on the clients computer can help here. The servers are vulnerable and attackers do not need to intercept your connection or anything like that. They just query vulnerable servers directly.
    Btw, it has been proved that clients using software with OpenSSL can be vulnerable as well so apply updates/patches as normally and follow news on Heartbleed. Examples on vulnerable client software: Tor Browser, Qupzilla browser, LibreOffice(all 3 have released patched versions.)
    Products from Kaspersky, McAfee, Symantec and others:
    http://www.networkworld.com/news/2014/041514-heartbleed-bug-irritating-280721.html

    Joe, have you already checked if any part of WSA uses a vulnerable version of OpenSSL?(Main, backup/sync, password manager etc.)

    And do we need to change passwords?
    https://lastpass.com/heartbleed/?h=detail.webrootanywhere.com
    https://lastpass.com/heartbleed/?h=community.webroot.com
     
  3. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Last edited: Apr 16, 2014
  4. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I agree with Marc's response, and the Lastpass tool works quite well to check your existing sites. Neither WSA nor our infrastructure are vulnerable to it.

    While I agree that it would be nice to notify the user if the server is unpatched, it will cause users to be confused and think something is wrong on their device, when in fact, there is nothing they can do.
     
  6. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Ok, thanks all.

    I will redirect concerned costumers to the links provided by vojta.

    /E
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
  8. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    I have used the LastPass tool. It works very well indeed.:thumb:
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
  10. Heco

    Heco Registered Member

    Joined:
    Mar 8, 2003
    Posts:
    264
    Location:
    Provence, France
  11. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
  12. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    The other test page that I posted is one of those that work right, according to that article:

    https://www.ssllabs.com/ssltest/
     
  13. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Ah thanks.:)
     
  14. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Very helpful, thank you!
     
Thread Status:
Not open for further replies.