SSL activated on *.openmpt.org

Started by Saga Musix, April 08, 2014, 22:56:33

Previous topic - Next topic

Saga Musix

I've activated HTTPS connection for most openmpt.org domains - including the forums, bug tracker and wikis. Now you can transfer your precious user data through a secure connection! It's a self-signed certificate, though, so you will have to make your browser shut up about it before you can use it properly. Still better than nothing. Start by pointing your browser to https://forum.openmpt.org/
» No support, bug reports, feature requests via private messages - they will not be answered. Use the forums and the issue tracker so that everyone can benefit from your post.

Saga Musix

#1
In related news, you may have heard about the catastrophic Heartbleed SSL bug; Since August 2013, openmpt.org has been running on a server installation with an affected OpenSSL implementation. Since HTTPS was enabled for some non-public services, this means that a potential attacker knowing about the bug at that time (people rightfully suspect that intelligence agencies such as the NSA could have known about the bug) could have abused it on openmpt.org, which could have potentially leaked arbitrary data from the Apache web server process. What does this mean? Well, it could mean that any data you have entered on any of the services here can be considered compromised, including passwords. This is just a heads-up, and if you're paranoid enough, it's probably time to change passwords now. The forum software hashes passwords client-side instead of server-side if JavaScript is enabled, which adds some extra security as the original password is not sent through the HTTP header, but I don't think the bug tracker and wiki software do that.
Note that it's not our fault that the server has been vulnerable; in fact, I patched the OpenSSL installation as soon as I could after the Heartbleed bug became public.
» No support, bug reports, feature requests via private messages - they will not be answered. Use the forums and the issue tracker so that everyone can benefit from your post.