Results 1 to 12 of 12
  1. #1
    4 Star Lounger access-mdb's Avatar
    Join Date
    Dec 2009
    Location
    Oxfordshire, UK
    Posts
    521
    Thanks
    50
    Thanked 39 Times in 36 Posts

    Major security problem

    See http://www.bbc.co.uk/news/technology-26954540

    Should we now change all our passwords as suggested? I'm surprised this hasn't been mentioned on the lounge before.

  2. #2
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,616
    Thanks
    7
    Thanked 231 Times in 219 Posts
    Only a problem if your software uses OpenSSL. If you are running an Apache web server, or email encryption you may be vulnerable, but I don't know of any typical user programs that use it.

    Web servers where you have an account may be vulnerable, but not if they use a decent back end for authentication.

    This Krebs article may be more informative.

    cheers, Paul

    [Edit] Windows Secrets seems to be safe according to my testing.
    Last edited by Paul T; 2014-04-09 at 14:32.

  3. #3
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    851
    Thanks
    13
    Thanked 56 Times in 56 Posts
    What is interesting is that the bug has been in existence for 2 years.

    Also interesting that the thinkbroadband site doesn't deem it newsworthy yet.

    There is a Forum Discussion on the TBB site but there doesn't seem to be too much concern.

  4. #4
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,269
    Thanks
    130
    Thanked 1,153 Times in 1,062 Posts
    There is a tool to check a website for vulnerabilities. Check the most relevant sites you use, where your password being broken would be critical, like online banking and similar. I did check Paypal and it is safe .

    Here is the tool: http://filippo.io/Heartbleed/
    Rui
    -------
    R4

  5. The Following 3 Users Say Thank You to ruirib For This Useful Post:

    brino (2014-04-16),CLiNT (2014-04-10),Dick-Y (2014-04-09)

  6. #5
    4 Star Lounger access-mdb's Avatar
    Join Date
    Dec 2009
    Location
    Oxfordshire, UK
    Posts
    521
    Thanks
    50
    Thanked 39 Times in 36 Posts
    My bank uses a card reader to generate a number which I use to login with. This changes each time I use it, so I assume that this precludes any problems with the bug as no password is used.

    I also use Thunderbird to login to Yahoo, is that compromised as well?

    Rui, it may be that a site is safe now, but was it safe (as Browni says, it's been around for two years). What we need is some openness from all sites about whether they have been affected and if they've updated their software. Only then can we be sure whether or not our passwords have been compromised. I'm not holding my breath.

  7. #6
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,269
    Thanks
    130
    Thanked 1,153 Times in 1,062 Posts
    I would still change passwords on sites where I would not like my passwords to be known and monitor any movements, purchases, etc, for the near future. One of the risks here is that the private keys were compromised, requiring the issuing of new certificates to avoid any future problems. This basically means you need to be very careful about what happens in relevant sites you use where the vulnerability was present. Of course, if you don't know, just keep tabs on movements and purchases in the key sites you use.
    Rui
    -------
    R4

  8. #7
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    851
    Thanks
    13
    Thanked 56 Times in 56 Posts
    Quote Originally Posted by ruirib View Post
    This basically means you need to be very careful about what happens in relevant sites you use where the vulnerability was present.
    As this vulnerability has been around for 2 years I am starting to get nervous...

  9. #8
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,269
    Thanks
    130
    Thanked 1,153 Times in 1,062 Posts
    Quote Originally Posted by Browni View Post
    As this vulnerability has been around for 2 years I am starting to get nervous...
    I think there is no big reason for that. Has anything happened with your accounts? Strange movements, unexplained events? If not, there is no reason to become overly nervous, though you should monitor what goes on in your most important sites.
    Rui
    -------
    R4

  10. #9
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,616
    Thanks
    7
    Thanked 231 Times in 219 Posts
    The vulnerability does not automatically lead to your passwords being discovered, just the possibility, and that is still difficult to do because an attacker would either need to intercept your data, or capture the information from the web site computer at the very moment you logon. The biggest issue is that SSL certificates on affected sites are no longer private because the keys can be stolen, but that still requires a very sophisticated attack to gain your passwords.

    The biggest risk to your passwords is still malware on your computer.

    cheers, Paul

  11. #10
    Lounger
    Join Date
    Feb 2010
    Location
    Kokomo, MS
    Posts
    45
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Does anyone have a list of sites that are "vulnerable"? Wading thru the long list that shows "no ssl" and "not vulnerable" takes a while.

    Does anyone think that "vulnerable" sites will notify users when they have been fixed??? Otherwise what good will changing passwords do.
    Last edited by Ed Y; 2014-04-10 at 07:30.
    Ed

  12. #11
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,616
    Thanks
    7
    Thanked 231 Times in 219 Posts
    You really need to rely on sites notifying registered users if they (the site) think there is a problem - and what ruirib said in #6.

    cheers, Paul

  13. #12
    3 Star Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    333
    Thanks
    32
    Thanked 13 Times in 13 Posts

    FYI lastpass heartbleed test/report site


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •