Is there any info/concerns re: "Heartbleed" security bug? Appears to target the main servers, like Shaw.
Would have been nice for the article to say what makes a server vurnable...
IIS and Apache (the two big web servers) everything is different.
Which versions are affected, ect.
The article says to call and talk to the small businesses you deal with personally, to see if they are affected, but doesn't say what to ask.
But yes, I don't have the time right now to research it, I just read the article you posted
Their test shows the two primary log-in sites are safe.
Test your server for Heartbleed (CVE-2014-0160) : Results for Shaw Webmail @ webmail.shaw.ca
Test your server for Heartbleed (CVE-2014-0160) : Results for Online Customer Center @ secure.shaw.ca
EDIT: This article from ArsTechnica gives better details regarding the vulnerability. It's related to OpenSSL cryptography. I don't know if Shaw uses this with any of their servers, but the tests linked above show it shouldn't be a concern here.
Um, the reason your tests showed your sites are safe is that your ssl implementation uses an extension to Coyote and not openSSL. Only sites using openSSL (version1.01 to version 1.01f) are at risk. This is a code bug in openssl and not any kind of malware.
Ah... good to know which we use. I didn't know how to check that.
But here's a scary one related to the "Heartbleed" vulnerability, the CRA detected the problem and is in process of patching... Taxman shuts down website over Heartbleed Bug | Globalnews.ca
There isn't actually a foolproof way that I know of. But, to test ssl (not just for heartbleed) I use the test facility at ssllabs.com. In the big blue box select "Test your server", and put in the url (in this case community.shaw.ca). It runs a whole bunch of tests, then grades the site (Shaw community got an A- btw) and produces more info on ssl then you'd ever want. Often to find out the server software look near the bottom (Miscellaneous) and look at the signature; which in the case of Shaw Community it reports Apache-Coyote. Some sites won't report anything, others just the web server software (which wouldn't help), but others like Shaw Community report everything. Not sure what the "best" answer is, as knowing the server software might indicate possible bugs, but not reporting anything could indicate a homegrown witches brew...
As for the CRA issue, the process of patching is fairly quick (download and compile the latest version of openssl 1.01g), install it, generate a new key and download a new cert. The issue the CRA has is it will then have to test the thing against all of the tax software and re-certify. Although unlikely, it is possible that one of them might fail requiring a client side update (think turbo tax - millions of upgrades necessary).
The bigger issue is that openssl is literally on millions of websites. I'm certain not all will update promptly making all credentials at risk. Since so many people use the same credentials on every secured website they visit this could be the nightmare of all nightmares. Think about it; someone's login credentials are copied from steam or twitch then used to access bank or credit card sites, or maybe just amazon or dealfinder (with stored credit card info)...
So just to clarify.
Is our Shaw data / network ok? Is our Shaw email / web services ok? for this Heartbleed security issue?
Yes, Shaw's data is ok
Thanks Kevinds !!
Retrieving data ...