cancel
Showing results for 
Search instead for 
Did you mean: 

OpenSSL bug (Heartbleed) on Plusnet routers

agentgonzo
Grafter
Posts: 41
Registered: 02-07-2012

OpenSSL bug (Heartbleed) on Plusnet routers

Does anyone know whether the routers supplied by Plusnet (specifically mine, the tg582) are affected by the recent OpenSSL heartbleed bug?
http://heartbleed.com/
It's a major vulnerability that means any TLS (ie HTTPS) connection can potentially leak any system memory.
24 REPLIES
Plusnet Alumni (retired) LinnPlusnet
Plusnet Alumni (retired)
Posts: 1,686
Registered: 03-02-2014

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Hi agentgonzo,
We currently don't have any information regarding this and if it effects our routers. We're trying to obtain further information and as soon as we have any we'll provide an update.
Plusnet Alumni (retired) LinnPlusnet
Plusnet Alumni (retired)
Posts: 1,686
Registered: 03-02-2014

Re: OpenSSL bug (Heartbleed) on Plusnet routers

We've just received a response from our suppliers and they've confirmed that our routers are not affected Smiley
agentgonzo
Grafter
Posts: 41
Registered: 02-07-2012

Re: OpenSSL bug (Heartbleed) on Plusnet routers

That's good news! I assume that the version of openssl installed on the thomson routers must be an older (and unaffected) version <1.0.1
Many thanks. I'm sure that elite hackers jumping on this have bigger targets than my pokey house in the middle of no-where, but it's good to know.
mattturner
Grafter
Posts: 246
Thanks: 2
Registered: 25-06-2009

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Yes, they all run OpenSSL version 1.0.0 - not affected.
Matt
Community Veteran
Posts: 5,056
Thanks: 422
Fixes: 16
Registered: 10-06-2010

Re: OpenSSL bug (Heartbleed) on Plusnet routers

[tt]OpenSSL 0.9.8l 5 Nov 2009[/tt]
according to the strings in the linux_appl.exe program within the 10.2.5.2 firmware.
Superuser
Superuser
Posts: 11,054
Thanks: 2,405
Fixes: 21
Registered: 22-08-2007

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Somewhat more to the point are the SSL/TLS services on PN's business platforms (e.g. the user portal) affected by this issue?
RickK
Grafter
Posts: 60
Registered: 03-07-2013

Re: OpenSSL bug (Heartbleed) on Plusnet routers

I have already checked portal.plus.net and the bug does not appear even though I cannot find out the OpenSSL version it is not affected by Heartbleed.
If you have any sites of your own you can use the following tool; http://rehmann.co/projects/heartbeat/
CyclesWithBees
Newbie
Posts: 4
Registered: 10-04-2014

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Just for reference, here's another tool I've been using to check sites for heartbleed vulnerability - it's been the best one I've seen so far, though if it finds multiple IP addresses for a given name you need to click through to each one to actually see whether they reckon it's vulnerable.
https://www.ssllabs.com/ssltest/index.html
RickK
Grafter
Posts: 60
Registered: 03-07-2013

Re: OpenSSL bug (Heartbleed) on Plusnet routers

So you are the reason that our checker is constantly reaching capacity!  Grin
CyclesWithBees
Newbie
Posts: 4
Registered: 10-04-2014

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Darn, you found me! I'd've... umm... stuff, if it wasn't for you pesky kids Smiley
Community Veteran
Posts: 38,460
Thanks: 1,027
Fixes: 62
Registered: 15-06-2007

Re: OpenSSL bug (Heartbleed) on Plusnet routers

update here http://www.bbc.co.uk/news/technology-26971363
Looks as though the major banks and Amazon are OK but not Amazon Webservices and Google including Gmail
Checking my Google Account I probably won't bother as there isn't any payment method associated with it and it is a unique password
I don't have Gmail
Gel
Seasoned Pro
Posts: 1,473
Thanks: 150
Fixes: 12
Registered: 02-08-2007

Re: OpenSSL bug (Heartbleed) on Plusnet routers

wintonian
Dabbler
Posts: 18
Registered: 25-04-2013

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Apparently as I don't use Plusnets router they are unable to advise me as to the vulnerability of their website (member centre). It seems that as OpenSSL works on the router that it is my responsibility to check and fix any vulnerability.  Huh
So why all this advice to change passwords if you can just buy, update or use an old router?  Huh
What does Plusnet suggest I do with my phone - should I buy a new one or not use it to access their website?
Community Veteran
Posts: 5,056
Thanks: 422
Fixes: 16
Registered: 10-06-2010

Re: OpenSSL bug (Heartbleed) on Plusnet routers

If the version of OpenSSL in the router had this bug, which apparently it doesn't, that would only affect https connections to the router itself, https://dsldevice.lan, websites on the Internet would be entirely independent of your router being vulnerable or not.