Security alert: Dmedia vulnerable to Heartbleed

Written for Novacut by Jason Gerard DeRose on 2014-04-19

Security alert: Dmedia vulnerable to Heartbleed

Dmedia (and therefor Novacut) are affected by the Heartbleed[1] bug in the
OpenSSL[2] library. This bug is very serious as it allows an attacker to
capture the private keys Dmedia uses, which then allows an attacker to steal
both your Dmedia library metadata and the files it contains.

Please see USN-2165-1 for details about the OpenSSL fix in Ubuntu:

What you need to do

To correct this problem, first make sure your packages are up-to-date:

    sudo apt-get update
    sudo apt-get dist-upgrade

Then you'll need to force Dmedia to generate new user and machine certificates:

    rm ~/.local/share/dmedia/user-1.json
    rm ~/.local/share/dmedia/machine-1.json
    restart dmedia

You should do this on all your computers running Dmedia before peering them

The next time you open Dmedia or Novacut, you'll be presented with the Dmedia
new-account screen[3].

On your first computer, click "New Account". On any additional computers, click
"Connect to Devices" and then accept the peering offer on the first computer.

More details

It's easy for an attacker on the local network to use the Heartbleed bug to
attack Dmedia on systems running a vulnerable version of OpenSSL. This includes
when you're using, for example, a public WiFi network at a coffee shop. This is
true even when you only have a single Dmedia device on a given network.

In practice it's probably very difficult for a remote attacker to exploit
Heartbleed in Dmedia from across the Internet. Most home routers use NAT to
prevent direct access to your computers from across Internet. Also, each time
Dmedia starts, it runs on a different, random port. Dmedia uses Avahi[4] to
advertise this random port to other Dmedia devices on the local network. Dmedia
does *not* advertise this random port to any outside servers. That said, remote
attacks could sill be possible if, for example, your router was compromised.

As Dmedia is not yet widely used, it's probably not yet a common attack target.
However, to play it safe, please follow the above procedure to generate new
Dmedia SSL certificates.

[1] Heartbleed:
[2] OpenSSL:
[3] Peering screen:
[4] Avahi:

Read all announcements