Are HTTPS Drupal sites insecure? Not anymore!

InformationWeekImage via Wikipedia

You might recall my previous article where I wrote:

Personally, I think it’s just spreading FUD; but Information Week is reporting that “Just over a week ago, security researcher Mike Perry presented information at the DEFCON security conference about a vulnerability that affects many SSL-secured Web sites, including Amazon, Facebook, Gmail,, most Drupal sites, and many online merchants and banks. ”In the eyes of Robin Monks, Aug 2008

You should read the whole article if you havn’t already.  Back?  OK!  So, after a call for some dev comments on the issue (thanks to John Wilkins and Christefano for the heads-up!), I can safely say this issue is fixed in DRUPAL-6 branch, HEAD, and about to be fixed in DRUPAL-5.  So the fix will be in the next security release of Drupal 5 and 6, and also in Drupal 7.  Go go Drupal devs!

Reblog this post [with Zemanta]
Show CommentsClose Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.