Fallout from Heartbleed

Fallout from Heartbleed

by Chad Bergeron -
Number of replies: 1

We've already updated our OpsnSSL and generated a new certificate for our Moodle site, but we're trying to decide if we need to force a password change on all of our users.  At current, authentication is done via Active Directory, and teh AD server is not vulnerable, but we are trying to determine what happens to the users credentials when they are sent to Moodle.  How are they passed along to AD for authentication, and how long are they resident in memory?  

My security hat says the safest option is to force a password reset, but we are rolling into the busiest part of the semester, so before pulling the pin on that grenade, I'm hoping someone with a clerer insight to the workings of the AD authentication system can provide input.

Average of ratings: -
In reply to Chad Bergeron

Re: Fallout from Heartbleed

by Matt Spurrier -

If users are entering their username and password into the web form then yes, you should have all users reset their credentials, if you're using single sign-on (ie: kerberos) then you should be okay as this uses token based authentication behind the scenes.

Because the issue is undetectable, and you don't know what information has or hasn't been exposed, it's best practice to assume everything is compromised, and should be acted upon accordingly.

I have posted about HeartBleed here for more information - https://moodle.org/mod/forum/discuss.php?d=258211

Matt

Average of ratings: -