What is the vulnerability about?
The vulnerability is effectively a bug in all the versions of OpenSSL from Ver. 1.0.1 to 1.0.2. In reality a lot of web-sites are either using the older and still popular OpenSSL 0.9.8 or they have already upgraded to the latest patched version of OpenSSL and thus are NOT vulnerable to heartbleed.
Are you passwords safe ?
In a nutshell yes when they are posted or exchanged with a server that is not vulnerable to this attach:
- GitEnterprise (gitent-scm.com) has never used any OpenSSL 1.0.1-1.0.2 (see: https://www.ssllabs.com/ssltest/analyze.html?d=gitent%2dscm.com) and thus is not vulnerable: you can keep your existing password as they are safe.
- GerritHub (gerrithub.io) has been vulnerable for only 5 days and then has been upgraded (see https://www.ssllabs.com/ssltest/analyze.html?d=gerrithub.io). However GerritHub DOES NOT exchange passwords over the Internet but rely on your existing GitHub session through OAuth Token authentication. This means that during the 5 days of vulnerability your account has NOT been at risk on GerritHub.
What about GitHub ?
Unfortunately GitHub has been vulnerable (see https://github.com/blog/1818-security-heartbleed-vulnerability) but the problem has been resolved or is under resolution right now as the nodes get upgraded.
We do recommend then to change your GitHub password in order to be sure that any previous credentials potentially stolen would not impact the security of your account and repositories.
GerritHub relies on GitHub OAuth, so is GerritHub at risk as well ?
In real terms the answer is “potentially yes”: if a potential attacker had been stolen your GitHub password, he could have initiated a login on your behalf and then accessed GerritHub as well.
How can I strengthen my GitHub security ?
GitHub already support today the two-factor authentication (see https://help.github.com/articles/about-two-factor-authentication): if you have this extra security enabled, nobody other than you can ever access your account, even if they could have potentially stolen your password.
Can I have a GerritHub account secured independetly from GitHub ?
Not yet, however we are working on an advanced security option for the private GerritHub accounts. We will offer for a monthly extra fee:
- Access to your GitHub private Teams and Repositories
- Extra scripting functionality to hook Gerrit events on the server side
(commit validation, issue tracking association, …)
- Integration with Atlassian Jira or BugZilla
- Integration with BuildHive from CloudBees for Continuous Integration
- Extra enterprise account protection for GerritHub.io accounts (additional password / X.509 Certificates)
Wow, that is amazing ! When can I get GerritHub private edition ?
We are currently in public beta stage, you can start using the implemented features for FREE during the trial by logging in to GerritHub using the URL:
Can I provide suggestions and give feedback during the public beta trial ?
Yes, you are very welcome to provide your feedback and we are very opened to adjust the development of GerritHub private features to your needs !
For problems and getting support:
For suggestions and feedback, please use the Gerrit Code Review forum:
Is GerritHub OpenSource ?
Absolutely YES: GerritHub is based on Gerrit Code Review 2.10-SNAPSHOT master with a selected set of enterprise plugins:
- GitHub plugin
- Codenvy plugin
- ITS-Jira plugin
- Scripting provider plugin
- SingleUserGroup plugin
- Download commands plugin
- Replication plugin
- Gravatar plugin
- Review notes plugin
If you want to directly review and contribute to Gerrit, you are welcome to the developers and contributors community !