Friends General Conference

Together we nurture the spiritual vitality of Friends

Security News: FGC and the Heartbleed Bug

At this point news coverage about the Heartbleed bug has been widespread.  

All FGC websites have been secure and continue to be secure, including the Quaker Cloud, and QuakerBooks.  We were not affected by the Heartbleed bug.



If you're interested in further details:

Some of the Heartbleed testing tools say that FGC may have been vulnerable in the past, is this true?

No.  FGC was not affected by this bug.  

These testing tools detect if a server is running any version of the OpenSSL software.  OpenSSL may or may not contain this bug.  The bug was introduced in OpenSSL version 1.0.1 and has persisted up to 1.0.1f.  For the entire lifespan of our current webserver, we have been and will continue to run OpenSSL 0.9.8 which does not contain this bug. 

Why is FGC using an old version of OpenSSL, isn't this also a security problem?

In this case, no; our conservative upgrade approach was an asset.  The version of OpenSSL we are using continues to recieve security updates and bug fixes, whenever any issues are found.  We are running a type of Linux know as CentOS which focuses on stability, reliability, and security instead of providing the newest and greatest features.  Once a version of CentOS is released, the community that supports it typically doesn't provide any new features.  The only updates they provide are security and bug fixes.  The Heartbleed bug was introduced when OpenSSL added a new feature.

While these new features are typically behind-the-scenes, and not anything a user of an FGC website would see, at some point we will want to upgrade to a newer version of CentOS.  Our hope is that when we do upgrade, we will have given time for any major bugs in these new features (like Heartbleed) to be found and resolved.