Skip to main content

The AAVSO Website and Heartbleed

We recently released a significant update to the backend systems for the AAVSO website. While most of the bugs introduced by this update have been fixed, there may still be problems we haven't fixed. If you run into a problem, please email webmaster@aavso.org
willmcmain's picture
willmcmain
Offline
Joined: 2010-09-15

As many of you have heard, a vulnerability was recently discovered in OpenSSL which allows attackers access to vast amounts of sensitive information on websites using this software. This vulnerability is called Heartbleed; if you're not familiar with it you can read about it here

The AAVSO is currently in the planning stage to move towards securing our website through SSL. However, at this time, no portion of the AAVSO website is currently served using SSL; therefore, the OpenSSL vulnerability does not affect our website. 

There is one exception: the AAVSO website uses a credit card payment gateway provided by Paypal to facilitate membership payments, donations, and other payments made to the AAVSO. As of the time of writing, we have verified that Paypal's payment gateway is not affected by this vulnerability.

What this means is that your data with the AAVSO is safe. However, if you use the same password on the AAVSO that you use on other websites, those other websites may have been compromised. If that's the case we recommend that you change your AAVSO password.

Thanks
BPO's picture
BPO
Offline
Joined: 2010-07-28

Just updated my password.

Great advice, thanks Will.

Douglas.

xkcd has an excellent
willmcmain's picture
willmcmain
Offline
Joined: 2010-09-15

xkcd has an excellent non-technical explanation of how the exploit works.

AAVSO 49 Bay State Rd. Cambridge, MA 02138 aavso@aavso.org 617-354-0484