This AgileBits forum (discussions.agilebits.com) in Watchtower
Though I'm changing the passwords in those sites indicated by Watchtower, I find it a bit disconcerting that when I view this very forum's login in 1Password, Watchtower indicates it is a vulnerable site. Here is a link to a screenshot of this in 1Password (personal info blurred): http://take.ms/eBiMF.
Based on this, I'd like to know how good Watchtower really is at identifying sites with the Heartbleed bug? Thanks!
Comments
-
I have the same. And on the list, the Agile Forum is listed as being the most important (above my bank and email logons).
0 -
You can safely change your password for https://discussions.agilebits.com And Watchtower is correctly reporting that the certificate can't be verified, and so telling you to wait.
In terms of Heartbleed, it is all fixed. But in terms of general certificate configuration there is another problem that we need to straighten out and that Watchtower is correctly warning your about.
Ah, how should I put this. The current situation with SSL certificates and discussions.agilebits.com is, well, less than ideal. (This will change soon.) Our discussion forums are hosted by Vanilla Forums. We've "outsourced" the hosting of the forums so we can focus on what we love to do. So the SSL certificate that you see for "discussions.agilebits.com" is actually for "*.vanillaforums.com". Your browser should actually warn you about a hostname mismatch.
Now you can also select the 'Always trust '*.vanillaforums.com' when connected to "discussions.agilebits.com"' box, so that you don't see this sort of warning each time. But these warnings do, in general matter. So Watchtower will not "approve" a certificate if it doesn't appear to be the right certificate for the domain.
We have a certificate for "*.agilebits.com", but to use that on the machine run by Vanilla Forums, they would need access to the private key for our certificate. I'm sure that they are good folk there, but still we should not be handing out the private keys for our certificate.
Instead what we need to do is get a new certificate specifically for "discussions.agilebits.com" which will have its own private keys and we just hand that over to Vanilla Forums. This is something we are doing right now. So in the next day or two, you should (a) stop seeing the host mismatch warning when connecting to https:://discussions.agilebits.com, and (b) see Watchtower saying that the certificate looks good.
0 -
Two weeks ago, I wrote:
The current situation with SSL certificates and discussions.agilebits.com is, well, less than ideal. (This will change soon.) [Emphasis added]
Sorry for the delay. Ironically enough one of the sources of delay was that it is easier to get an SSL certificate than expected. Anyway, at this point I will just say "any day now".
0 -
Huh… That's slightly amusing. ;~)
0 -
I guess screenshots don't attach very well in here. Anyway, that's this very discussion forum login & URL that showed up in my Watchtower. :~)
0 -
Hi @RyanPoirier,
I merged your post with this existing thread. Please see @jpgoldberg's posts and let us know if we can be of further assistance. This is definitely something on our radar.
0 -
I am pleased to announce that we have long passed the the point where the delay in getting a proper certificate in place for discussions.agilebits.com can be blamed on me, and so I can point the accusing finger elsewhere. After all, it's not whether you win or lose, but how you lay the blame. :-)
More seriously, we are ultimately responsible for anything in an *.agilebits.com domain. And so we are continuing to push to get this done. It continue to take longer than originally anticipated. I'm sorry about that.
0
