W3C home > Mailing lists > Public > www-style@w3.org > April 2014

csswg.org Heartbleed Information

From: Peter Linss <peter.linss@hp.com>
Date: Thu, 10 Apr 2014 16:51:26 -0700
Message-Id: <178C4ED9-395A-4DDA-BBC2-FDA85DEAAAC6@hp.com>
To: CSS WG mailing list <w3c-css-wg@w3.org>, www-style list <www-style@w3.org>
As most of you are probably aware, there was a vulnerability recently announced in the OpenSSL library referred to as "Heartbleed". 

The server hosting csswg.org was running an affected version of OpenSSL and may have been subject to an attack. There is no data indicating that the server was, in fact, compromised in any way, but as the nature of the bug doesn't leave information on the server there's no way to know for sure. The vulnerability allows an attacker to read the memory of the server and potentially retrieve private keys as well an any other information that may be in memory at the time of the attack.

As of Tuesday morning the server was upgraded to a patched version of OpenSSL. At this point the SSL certificates for csswg.org have been revoked and replaced (and upgraded while I was at it) and the server should be considered secure.

The applications running on csswg.org, such as the group's wiki and Shepherd, only store passwords in a secure cryptographically hashed form, so even if they were retrieved from the server, there is little likelihood of them being compromised. However, if the site's private certificate data has been compromised it is theoretically possible for an attacker to have intercepted passwords in transit over a https connection.

I have not reset anyone's password at this point, but if anyone if feeling paranoid, feel free to reset your password at the following URL:
https://test.csswg.org/shepherd/login/account/information/

As always, if you see any issues with the server, please notify me immediately.

Peter

Received on Thursday, 10 April 2014 23:51:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 May 2016 14:39:21 UTC