Heartbleed & Soulseek
Submitted by kosf on Thu, 04/10/2014 - 03:37
Forums:
Hello everyone. I'm one of many (I trust) who believes Soulseek to be so sensational that for more than 10 years I've largely roamed there, exchanging information and fun with Soulseekers, without much need to find answers on the forum. The matter at hand makes a difference:
Thoughts surrounding the Heartbleed bug brings me to ask: what's the reality regarding it and Soulseek?
slsknet.org and soulseekqt.net both result in alarm from the following Heartbleed test site:
I've searched on the forum, and Heartbleed gets no mention. How is using Soulseek affected?
I will be grateful to any insight.
Thank you Soulseek. You couldn't be lovelier to me.
- Log in to post comments
not an issue on unencrypted web traffic
Heartbleed only affects encryption services that use the OpenSSL code library, such as the HTTPS service offered by the Apache web server if it was built against a vulnerable version of that library. Not all Apache installations are built with this library, but I think the one Nir is using to serve up his websites is. Both sites are using the same server.
However, right now your browser's connection to the websites is probably using regular, unencrypted HTTP, not HTTPS, so it doesn't matter if the bug is present. So just like when you access any other ordinary HTTP site, an eavesdropper on the line or "man in the middle" can know all our IPs, login credentials, postings, and everything we look at on the site. If we were using HTTPS, all that they would see is that our IPs connected to Nir's and conversed via HTTPS.
Nir apparently did start to set up rudimentary HTTPS service a while back, but he doesn't have a valid certificate from a reputable provider; he's only using an expired, self-signed certificate, probably just something he set up temporarily to test with. So if you try to browse the site via HTTPS, you will have to click through a harsh warning presented by your browser, and you'll have to explicitly add his cert to your trusted certificates to indicate that you trust that it is actually Nir's (not a middleman's) and that his server's private key hasn't been compromised. I wouldn't do that, if I were you, just as a matter of best practices. I'm also guessing he didn't set it up with virtual hosting (on HTTPS servers it's still a relatively new feature) so probably the HTTPS service is only for the default domain, which may be one of the two you asked about or maybe another one altogether. I didn't click through the warnings to find out.
As for the Soulseek file-sharing clients and the Soulseek network's central server, I doubt any of them use OpenSSL; the protocol doesn't support encryption, AFAIK. If you really need to cloak your network traffic, you need to use a VPN.
Thanks for insight into Heartbleed & Soulseek
Thanks very much for your thorough and insightful answer, microwave. You've certainly added clarity to the situation.