You’re probably familiar with the Heartbleed vulnerablility in OpenSSL - can you confirm whether the newsblur servers were affected by the vulnerability, and if so, that they have been patched to mitigate the issue.
1 Like
I missed that Twitter update! Hopefully my question will now come up in the results on here too 
Thanks
any idea when new certs will be issued? kind of pointless to do create new passwords without that…
They already have.
Netcraft extension for Chrome reports that the same certificate is still in use. Can someone confirm when it will be changed or plausibly deny Netcraft data?
Here’s another report:
https://heartbleed.agilebits.com/chec…
This one suggests it’s possible that a new certificate was re-issued but with the prior expiration date. So it may be that everything is fine, or it’s not. We really just need an explicit confirmation. The latest official response I could find is “I’ll take care of certs soon.”
I just got the new certs, I’ll be installing them Monday.
2 Likes
Thanks for the update!
It’s Wednesday and I’m still seeing the old certs. I’m understanding that these things take time, even though it’s been over two weeks since the bug went public, but the failure to meet self-imposed deadlines doesn’t inspire confidence. If you aren’t going to fix things in a timely manner, please be up front about it. Couple this with the dev’s previous vague and dismissive responses to other security concerns and it looks a trend that will continue.
https://getsatisfaction.com/newsblur/…
https://getsatisfaction.com/newsblur/…
New features are good and exciting, but you have a duty to protect the privacy of your users, especially those who pay for the service. I’m not sure if i’m going to re-up my subscription if that cannot happen.
I’ve just noticed the certificate is now reported as OK by Netcraft Chrome extension so I guess we now have Heartbleed behind us, albeit with more of a delay than was promised or reasonable.
I replaced the certificates on Monday. Can you ensure that they are not cached on your end? I double checked and the load balancer has the new certs and should be serving them.
I restarting the front-end server to ensure that it would serve the most up to date certs (you may have noticed about 10 seconds of downtime just then). Looks like you’re using that heartbleed checker, which caches on its end. I can assure you that the certificates are updated.
I saw the Twitter update, but I find it a bit ironic that it can’t be viewed in Newsblur itself since Twitter no longer has an nice simple RSS feed option.
The heartbleed fix itself is important enough that it probably warrants a post to blog.newsblur.com (which I do subscribe to).
I liked that Newsblur was one of the first sites I frequent to announce they were fixed.
I wish more sites were transparent about what was going on with them – such as my bank!
[Edited: spelling, clarity]
3 Likes