

Stackoverflow HTTPS Error – Heartbleed Bug - Igglyboo
https://stackoverflow.com/

======
Nick-Craver
We have now deployed new keys and certificates across our network after
patching the vulnerability immediately this morning. Forward secrecy was used
previously and still is, drastically limiting the surface area/usability of
the attack in our case.

You can view stackoverflow.com's current public SSL test here:
[https://www.ssllabs.com/ssltest/analyze.html?d=stackoverflow...](https://www.ssllabs.com/ssltest/analyze.html?d=stackoverflow.com)

Nick Craver Stack Exchange Systems Administrator

------
luma
I don't think this is the bug per se, but it may very well be due to their
reaction to the bug. The safe response for secure systems is to reissue certs
after patching impacted OpenSSL instances. It looks like they instead have
switched over to a previously-issued wildcard cert for *.stackexchange.com.
The cert is valid, but it's for the wrong domain.

This is more likely the result of a sysadmin screwing up the response and not
bothering to check the work. Maybe s/he should post on stackexchange for some
help :D

~~~
Nick-Craver
We are actually waiting on a re-issue of a combined wildcard at the moment,
but as DNS propagates you'll be served a previous, still valid cert in the
interim.

We hope to get the final cert deployed within the hour...as soon as we have it
in hand. Our other certs are queued up and ready to do on a secondary load
balancer.

CAs are understandably a bit busier than normal today.

~~~
spolsky
n.b. Nick is a Stack Exchange system administrator

------
jensnockert
What am I supposed to see? I just get an invalid certificate? Or is that what
I am supposed to see?

~~~
josh-wrale
It looks like they self-issued new certs after patching their servers: A
radical move, if that's the case, but it's probably justified given the scope
of the bug.

Edit: Looking closer at the invalid cert, it appears to be a host name
conflict, not a self-issued cert. This is probably a result of the rush to re-
issue.

However, BEWARE! Invalid certs are nearly always suspicious!

~~~
josh-wrale
luma has the answer further down the thread. I didn't look at the date. I
should really return to caffeine after many years away from it. lol

------
Yuioup
Does IIS running on Windows have the same security vulnerability? Or is
Stackoverflow running on Linux+Mono?

~~~
Nick-Craver
Our load balancer is HAProxy which also does SSL termination, so IIS is not
involved with SSL certificates or termination in our setup. Also, the
vulnerability was specific to OpenSSL.

------
mandlar
This says it is patched?
[http://possible.lv/tools/hb/?domain=stackoverflow.com](http://possible.lv/tools/hb/?domain=stackoverflow.com)

~~~
AnthonyMouse
Patching OpenSSL is only the first step. In theory having operated the servers
with an unpatched OpenSSL for some period of time means that your private keys
could have been compromised, so to be safe you have to replace your keys and
certificates. This appears to be some consequent misconfiguration with the
certificates.

------
egeozcan
It seems to be fixed now.

