iPredict.co.nz site vulnerability

A software vulnerability in the OpenSSL library has been reported that can expose the private RSA keys of a site to an attacker. This has been named the 'Heartbleed Bug' vulnerability, and it means that communications with vulnerable sites can not be considered secure.

You can read more about the bug here: [heartbleed.com]

Quote

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

iPredict is a vulnerable site, as identified here: [filippo.io].

You can read more technical information about what this means here: [www.mattslifebytes.com]

In particular:

Quote

...the currently-available proof-of-concept scripts allow any client, anywhere in the world, to perform a session hijacking attack of a logged in user.

iPredict needs to upgrade their OpenSSL library to a safe version (refer [www.openssl.org]) then revoke and replace the existing SSL certificate.

iPredict users: if you are using your iPredict password elsewhere, change those passwords on other sites immediately. iPredict should force a password reset once the issue is fixed, but if they don't, you should change it yourself.

Sill vulnerable. Admins, this is urgent.

Our Tech Team is aware of this and they think we should be covered. However they are testing to make sure everything is secure, and will probably take the server down for some ahead of schedule updates at midnight.

Thanks for the speedy response on this, and I see a new cert has been issued. Considered forcing a password reset or email everyone? And while you're at it, want to fix the forum search?