April 18, 2014
As most of you have read in the news by now, there was a recent vulnerability in OpenSSL known as the heartbleed vulnerability. This affected recent versions of OpenSSL between 1.0.1 up until the 7th April 2014.
The boxsoci.al website is powered by Ubuntu 12.04 LTS which was vulnerable to this bug. Ubuntu 12.04 LTS has been configured to install security patches automatically without any intervention required. Upon learning the news of the heartbleed bug, an audit was performed and it was determined that the vulnerability had been automatically patched, and further testing determined the patch had indeed closed the vulnerability. (This response may seem slow, but the patch was applied immediately.)
The SSL certificate for boxsoci.al has now also been changed. Now is also a good time to remind everyone to change their passwords. boxsoci.al also supports multiple factor authentication using a one time pass code implementing RFC 6238. This can be enabled by going to Account Security under your My Account/Dashboard. Unfortunately as boxsoci.al is a hobby project, I have made the tough decision and elected to not use an SMS OTP provider, and only provide support for RFC 6238 compliant OTP generator apps.
Following this I will be conducting a password trail audit. So far we have stopped sending out your password in plain text in your registration confirmation e-mail in line with current industry practice. It is likely similar improvements will be made to the password reset process as well.
Remember to stay safe on the Internet. And if you didn't read my last article about online account security, you should check it out.