Jump to content

Heartbleed and IPB


GreenLinks
 Share

Recommended Posts

If Charles or other team will approve the posts in timely , you can all see the issue.

Heartbleed is a OpenSSl vulnerability however according to how systems is designed , it is extremely easy to attack vulnerable websites.

Unfortunately IPB is one of this easy attacked candidates atm.

My question is if IPB is thinking about changing this for future to increase security or not.

Link to comment
Share on other sites

Can you please explain what you are referring to?

The solution for the vulnerability in question is to upgrade OpenSSL. There is no application-level solution. I don't understand what it is you think we as a company can do at the application level to resolve or mitigate this issue.

Link to comment
Share on other sites

I think Greenlinks is referring to the idea that if you can steal someone's session ID by exploiting the Heartbleed vulnerability, you can gain access to other people's accounts within IP.Board by hijacking their session, and is looking for mitigations for that.

I guess this is where session IP validation would come in, if you're particularly paranoid about man-in-the-middle attacks, but there's very little else IP.Board could do.

Link to comment
Share on other sites

I think Greenlinks is referring to the idea that if you can steal someone's session ID by exploiting the Heartbleed vulnerability, you can gain access to other people's accounts within IP.Board by hijacking their session, and is looking for mitigations for that.

I guess this is where session IP validation would come in, if you're particularly paranoid about man-in-the-middle attacks, but there's very little else IP.Board could do.

The ability to validate a session against an IP address is already included in IP.Board as an ACP setting.

Link to comment
Share on other sites

I think Greenlinks is referring to the idea that if you can steal someone's session ID by exploiting the Heartbleed vulnerability, you can gain access to other people's accounts within IP.Board by hijacking their session, and is looking for mitigations for that.

I guess this is where session IP validation would come in, if you're particularly paranoid about man-in-the-middle attacks, but there's very little else IP.Board could do.

Exactly

thanks for notifying about that setting :)

Link to comment
Share on other sites

I have that setting disabled as it causes problems when multiple users browse from the same IP address (university campuses, partners in the same households, etc).

I'm not particularly worried about this myself... since the exploit is now effectively closed through a patch.

Link to comment
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...