23 April 2014

The Ruby Reflector

Topic

SSL

  Source Favicon
By Todd Hoff of High Scalability 9 days ago.
Email

…management, and have the state replicated in the backup region. That or sidestep ELB in your region to a team of stateless load balancers that terminate SSL.

Jeremy Edberg to a question about how to run databases without EBS, says : By having good replication, either hand rolled or built in.

At Netflix we use Cassandra and store all data on local instance storage. We don't use EBS for databases.

highscalability.com Read
  Source Favicon
By David of Signal vs. Noise 9 days ago.
Email

…much about your internal performance metrics until you've cared enough about the full stack of SSL termination overhead, CDN optimization, JS/CSS asset minimization, and client-side computational overhead (the latter easily catching out people following the "just do a server-side API ", since the json may well generate in 50ms, but then the client-side computation takes a full second on the below-average device — doh!).

Level two, once reasonable efforts have been …

37signals.com Read
  Source Favicon
Email

…variant you're using uses yaSSL instead of OpenSSL. In addition, in many cases SSL support is disabled on the server side by default, which might not be the best thing from a security standpoint but can save us from this bug. Finally, in many configurations the SSL/TLS connection setup will take place after initial handshake which does not allow this vulnerability in all cases. I do not have hard numbers but I would guess no more than 10-20% of MySQL (and variants) installations …

mysqlperformanceblog.com Read
  Source Favicon
By Nathan Smith of Chef Blog 12 days ago.
Email

Update Rack:: SSL ( CVE-2014-2538)

Update libyaml ( CVE-2014-2525)

About the OpenSSL Update

OpenSSL was updated to 1.0.1g to address The Heartbleed Bug . Management Console was not directly affected by this bug (it runs behind Enterprise Chef's Nginx) but we've updated the dependency on OpenSSL as a precaution.

When running this release of the Manage Add-on you should also be running at least Enterprise Chef 11.1.3 and have …

opscode.com Read
  Source Favicon
By Joshua Timberman of Chef Blog 13 days ago.
Email

Enterprise Chef is not affected, as none of the external services using SSL are linked against a vulnerable version of OpenSSL. However, as a precautionary measure, we decided we would update OpenSSL packages in our infrastructure that were affected.

Our Search Infrastructure

For those unfamiliar with the internals of the Chef Server API, the reference implementation uses Apache Solr for indexing the JSON data, such as information about nodes that are managed. In our Hosted Enterprise Chef…

opscode.com Read
  Source Favicon
Email

SSH does not use SSL/TLS, so you're OK there. If you downloaded a binary installation of MySQL community from Oracle, you're also OK, because the community builds use yaSSL, which is not known to be vulnerable to this bug. Obviously, any service which doesn't use SSL/TLS is not going to be vulnerable, either, since the salient code paths aren't going to be executed. So, for example, if you don't use SSL for your MySQL connections, then this bug isn't …

mysqlperformanceblog.com Read
  Source Favicon
By Patrick of Kalzumeus Software 14 days ago.
Email

…library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging ( IM) and some virtual private networks ( VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises …

kalzumeus.com Read
  Source Favicon
By Hongli Lai of Phusion Corporate Blog 14 days ago.
Email

You are using Passenger Standalone, with SSL enabled inside Passenger Standalone (that is, passenger start --ssl ).

You are not vulnerable (to the Passenger Standalone static linking issue) if:

You are not using Passenger Standalone (e.g. if you're using Phusion Passenger through the Apache or Nginx integration mode).

You are using Passenger Standalone, but without SSL.

Your Passenger Standalone is behind another SSL-enabled reverse proxy.

Update : Please …

blog.phusion.nl Read
  Source Favicon
By miraculous1 of mir.aculo.us 15 days ago.
Email

bug for several years which allowed attackers to untraceably read all your SSL traffic and some server memory.

If you're like me and have better things to do than reinvent the fix-wheel and you're all like " WTFBBQ TL;DR" here's the absolute minimum what anyone who runs a web server with SSL must do .

NO, NONE OF THESE STEPS ARE OPTIONAL.

Update OpenSSL to 1.0.1g. This is required before you do anything else.

Recompile anything that's statically …

mir.aculo.us Read
  Source Favicon
By Craig Kerstiens of Heroku 15 days ago.
Email

…certificate as your private key or other data may have been exposed. If you are running the legacy SSL hostname add-on, you should migrate to SSL endpoint .

While we're confident that all of the aforementioned vectors have been addressed, we are continuing to monitor the situation and have a heightened eye to potential abuse on the Heroku platform.

Thank you for your patience while we worked on resolving this issue. As always, please don't hesitate to let us know if …

blog.heroku.com Read