GPF News Archive
Hey there, folks. I know, I know... a News post on a Thursday? What is this site coming to? I normally like to reserve News posts for Mondays, our highest traffic days, but the main topic of this post just won't wait. There are a few additional items at the bottom, but we have one heck of a doozy to start with.
The OpenSSL "Heartbleed" Vulnerability: Unless you closely watch Internet security news, you may not be aware of the massive story that broke earlier this week. A severe buffer-overflow vulnerability was found in the Open Source OpenSSL cryptographic library which security researchers have nicknamed the "Heartbleed" bug. While the full details can get pretty technical, the super-condensed Jeff summary is that an attacker can send specially crafted "heartbeat" requests to both client and server software that use affected OpenSSL libraries and potentially steal any information stored within the victim computer's memory, up to and including user names, passwords, cryptographic keys, and other sensitive data. The vulnerability was first introduced in December 2011 but was only just discovered, meaning it has been sitting undiscovered by security experts for over two years. As of this writing, it is unknown whether or not hackers have been exploiting this flaw, but now that proof-of-concept code is available, they are guaranteed to start quickly.
The GPF site makes extensive use of Free/Libre Open Source Software (FLOSS), a fact that we're normally very proud of. Sadly, this means that up until yesterday, GPF was potentially vulnerable. Here's what I can tell you about how this has affected us:
- The version of OpenSSL GPF uses has already been patched, and our SSL/TLS certificate has been revoked and reissued with a new private key. This should ensure no future attacks, whether directly from this attack or from man-in-the-middle or phishing attacks from a possible stolen private key. We also implemented a number of important TLS improvements some time ago like Perfect Forward Secrecy, so it is highly unlikely any of our data, both past and future, would be intercepted and decrypted.
- GPF is a very low-profile target; we don't store financial information about our users, and probably the most sensitive personal information we store would be e-mail addresses for Forum and Premium users. Thus it is highly unlikely we would be directly targeted, but we can't rule out the possibility of attacks of opportunity. We get bombarded by spam bots and vulnerability probes every day, but all of those bounce off our well-configured firewalls and hardened scripts. "Heartbleed" attacks are largely untraceable, so drive-by attacks could be swift and difficult to detect.
- The worst possible scenario if we were every compromised would be the loss of password information for the Forum or Premium. We store these passwords very securely on our end, but only the encrypted SSL/TLS tunnel protects them during transport between your browser and our server. If a "Heartbleed" attack ever occurred, there would be a chance that unobscured password information stored briefly in memory on the server could have been leaked. Therefore, I recommend GPF Forum and Premium users change their passwords. Since the likelihood that an actual attack ever occurred is pretty small, I'm not going to require a change, but I will recommend it. If you happen to use your Forum and/or Premium passwords on any other site (an extremely bad practice you should get out of immediately), then you should probably change your password in those other locations as well.
- If you do not have a GPF Forum or Premium account, you should not be affected at all by this flaw. "Heartbleed" only affects SSL/TLS encrypted traffic. Most of our site uses unencrypted HTTP, and we force HTTPS only for sensitive logins and similar transactions.
Please note that this vulnerability is affecting a lot of Web sites, not just GPF, so you may be seeing this kind of news post frequently over the next few weeks. This isn't a flaw in GPF's home-grown scripts, but in a third-party library that has a long standing reputation for being robust and secure. If you're not already using a password manager like LastPass, RoboForm, Dashlane, or (my personal favorite) Cryptnos, I would highly recommend that you start ASAP.
And now for some lighter topics...
Thank You to all our Transcribers! In my previous News post, I introduced our transition from the old Oh No Robot transcription system to our new in-house system. I have to say, the response was way more exciting than I had hoped! A number of you have jumped in and added transcriptions, especially improving some existing transcriptions that still needed a bit of work. I wanted to thank all of you who have submitted transcriptions already and encourage you to keep up the great work. There are separate lists for comics in need of transcriptions and transcriptions needing improvement, so any help you can provide will always be appreciated.
New Rumor Mill Post: Lastly, I wanted to remind all our Premium subscribers that there's a new Rumor Mill post, for those of you who don't check it frequently or don't subscribe to the Premium-exclusive RSS feed. You can access the Rumor Mill from the Premium hub and scroll about half-way down the page. This Rumor isn't a gigantic secret (it's an update on a Rumor I've posted before), but I know it's something a number of you long-time readers will like to hear. If you're not a Premium subscriber, I'll be making a more public announcement about this as its completion draws closer... or you could subscribe now if you're impatient. :)