Jump to content

Heartbleed and IPB

GreenLinks

By GreenLinks
in Feedback

Recommended Posts

  • Management
Charles Grand Master

Charles

Posted
  • Management
Posted

I do not understand your question.

Heartbleed is an OpenSSL vulnerability that is a server-level problem. IPB is not OpenSSL ...

GreenLinks Collaborator

GreenLinks

Posted
  • Author
Posted

It is OpenSSL vulnerability though IPB uses sessions inside backend url which kind of makes this security more in the face of the user. So i want to know if you are planning to change or add more improvements for future.

Ryan H. Mentor

Ryan H.

Posted
Posted

As Charles said, the OpenSSL vulnerability is a server issue, nothing IPB has any sort of control over. You need to contact your host to make sure they've patched or will be patching your server(s).

GreenLinks Collaborator

GreenLinks

Posted
  • Author
Posted

If Charles or other team will approve the posts in timely , you can all see the issue.

Heartbleed is a OpenSSl vulnerability however according to how systems is designed , it is extremely easy to attack vulnerable websites.

Unfortunately IPB is one of this easy attacked candidates atm.

My question is if IPB is thinking about changing this for future to increase security or not.

bfarber Grand Master

bfarber

Posted
Posted

Can you please explain what you are referring to?

The solution for the vulnerability in question is to upgrade OpenSSL. There is no application-level solution. I don't understand what it is you think we as a company can do at the application level to resolve or mitigate this issue.

Guest

Guest

Posted
Posted

I think Greenlinks is referring to the idea that if you can steal someone's session ID by exploiting the Heartbleed vulnerability, you can gain access to other people's accounts within IP.Board by hijacking their session, and is looking for mitigations for that.

I guess this is where session IP validation would come in, if you're particularly paranoid about man-in-the-middle attacks, but there's very little else IP.Board could do.

bfarber Grand Master

bfarber

Posted
Posted

I think Greenlinks is referring to the idea that if you can steal someone's session ID by exploiting the Heartbleed vulnerability, you can gain access to other people's accounts within IP.Board by hijacking their session, and is looking for mitigations for that.

I guess this is where session IP validation would come in, if you're particularly paranoid about man-in-the-middle attacks, but there's very little else IP.Board could do.

The ability to validate a session against an IP address is already included in IP.Board as an ACP setting.

GreenLinks Collaborator

GreenLinks

Posted
  • Author
Posted

I think Greenlinks is referring to the idea that if you can steal someone's session ID by exploiting the Heartbleed vulnerability, you can gain access to other people's accounts within IP.Board by hijacking their session, and is looking for mitigations for that.

I guess this is where session IP validation would come in, if you're particularly paranoid about man-in-the-middle attacks, but there's very little else IP.Board could do.

Exactly

thanks for notifying about that setting :)

Ichirō Explorer

Ichirō

Posted
Posted

Exactly

thanks for notifying about that setting :smile:

Just to clarify for anyone unsure, to check the setting you will find it here:

Admin cp > System Settings > System > Security and Privacy > Security [General - High]

Hexsplosions Proficient

Hexsplosions

Posted
Posted

I have that setting disabled as it causes problems when multiple users browse from the same IP address (university campuses, partners in the same households, etc).

I'm not particularly worried about this myself... since the exploit is now effectively closed through a patch.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...