Fallout from Heartbleed

Fallout from Heartbleed

av Chad Bergeron -
Antall svar: 1

We've already updated our OpsnSSL and generated a new certificate for our Moodle site, but we're trying to decide if we need to force a password change on all of our users.  At current, authentication is done via Active Directory, and teh AD server is not vulnerable, but we are trying to determine what happens to the users credentials when they are sent to Moodle.  How are they passed along to AD for authentication, and how long are they resident in memory?  

My security hat says the safest option is to force a password reset, but we are rolling into the busiest part of the semester, so before pulling the pin on that grenade, I'm hoping someone with a clerer insight to the workings of the AD authentication system can provide input.

Gjennomsnittlig vurdering: -
Som svar til Chad Bergeron

Re: Fallout from Heartbleed

av Matt Spurrier -

If users are entering their username and password into the web form then yes, you should have all users reset their credentials, if you're using single sign-on (ie: kerberos) then you should be okay as this uses token based authentication behind the scenes.

Because the issue is undetectable, and you don't know what information has or hasn't been exposed, it's best practice to assume everything is compromised, and should be acted upon accordingly.

I have posted about HeartBleed here for more information - https://moodle.org/mod/forum/discuss.php?d=258211

Matt

Gjennomsnittlig vurdering: -