Was Newsblur affected by HeartBleed, and if so, have the servers been patched?

  • 1
  • Question
  • Updated 5 years ago
You're probably familiar with the Heartbleed vulnerablility in OpenSSL - can you confirm whether the newsblur servers were affected by the vulnerability, and if so, that they have been patched to mitigate the issue.

http://www.theguardian.com/technology...
Photo of TomM

TomM

  • 9 Posts
  • 0 Reply Likes

Posted 6 years ago

  • 1
Photo of ojiikun

ojiikun

  • 475 Posts
  • 62 Reply Likes
Photo of TomM

TomM

  • 9 Posts
  • 0 Reply Likes
I missed that Twitter update! Hopefully my question will now come up in the results on here too :)

Thanks
Photo of passionsocks

passionsocks

  • 2 Posts
  • 3 Reply Likes
I saw the Twitter update, but I find it a bit ironic that it can't be viewed in Newsblur itself since Twitter no longer has an nice simple RSS feed option.

The heartbleed fix itself is important enough that it probably warrants a post to blog.newsblur.com (which I do subscribe to).

I liked that Newsblur was one of the first sites I frequent to announce they were fixed.

I wish more sites were transparent about what was going on with them -- such as my bank!

[Edited: spelling, clarity]
Photo of chzhaz

chzhaz

  • 2 Posts
  • 0 Reply Likes
any idea when new certs will be issued? kind of pointless to do create new passwords without that...
Photo of DavidSev

DavidSev

  • 106 Posts
  • 30 Reply Likes
They already have.
Photo of me

me

  • 2 Posts
  • 0 Reply Likes
Netcraft extension for Chrome reports that the same certificate is still in use. Can someone confirm when it will be changed or plausibly deny Netcraft data?
Photo of Nicholas Riley

Nicholas Riley

  • 143 Posts
  • 8 Reply Likes
Here's another report:

https://heartbleed.agilebits.com/chec...

This one suggests it’s possible that a new certificate was re-issued but with the prior expiration date. So it may be that everything is fine, or it’s not. We really just need an explicit confirmation. The latest official response I could find is “I’ll take care of certs soon.”

https://getsatisfaction.com/newsblur/...
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
I just got the new certs, I'll be installing them Monday.
Photo of chzhaz

chzhaz

  • 2 Posts
  • 0 Reply Likes
Thanks for the update!
Photo of jf938

jf938

  • 1 Post
  • 0 Reply Likes
It's Wednesday and I'm still seeing the old certs. I'm understanding that these things take time, even though it's been over two weeks since the bug went public, but the failure to meet self-imposed deadlines doesn't inspire confidence. If you aren't going to fix things in a timely manner, please be up front about it. Couple this with the dev's previous vague and dismissive responses to other security concerns and it looks a trend that will continue.

https://getsatisfaction.com/newsblur/...
https://getsatisfaction.com/newsblur/...

New features are good and exciting, but you have a duty to protect the privacy of your users, especially those who pay for the service. I'm not sure if i'm going to re-up my subscription if that cannot happen.
Photo of me

me

  • 2 Posts
  • 0 Reply Likes
I've just noticed the certificate is now reported as OK by Netcraft Chrome extension so I guess we now have Heartbleed behind us, albeit with more of a delay than was promised or reasonable.
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
I replaced the certificates on Monday. Can you ensure that they are not cached on your end? I double checked and the load balancer has the new certs and should be serving them.
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
I restarting the front-end server to ensure that it would serve the most up to date certs (you may have noticed about 10 seconds of downtime just then). Looks like you're using that heartbleed checker, which caches on its end. I can assure you that the certificates are updated.