Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1] 2 3 4

Author Topic: Heartbleed Exploit - Most servers patched, but assume ALL passwords compromised  (Read 3430 times)

Draxis

  • Bay Watcher
    • View Profile

Recently they found a bug in OpenSSL - supposedly used by 2/3 of all encrypted Web servers - which let people basically read huge chunks memory of from server and look through it at will, without leaving records except maybe in router logs.  Conveniently, encryption keys are one of the easiest things to pull out.  This means that, essentially, no exchanges made over HTTPS for the last two years can be considered secure, and from yesterday when this blew up until this exploit is globally fixed, all should be presumed broken.

More information Here.
This site has been set up to test remote servers for the exploit, ostentiably to let people test their own but in any case it is useful for seeing which sites are safe to use.

Linux users and any server operators who happen to be reading this should update their OpenSSL to 1.01g right now.
At this point, most servers have been patched, but you should assume that any and all passwords used on any HTTPS site, or reused from one, are compromised and change them once that site is secure.
Any site whose SSL Key was signed before April 7, 2014 should be considered vulnerable to MITM attacks.
« Last Edit: April 09, 2014, 01:46:37 pm by Draxis »
Logged

Tack

  • Bay Watcher
  • Giving nothing to a community who gave me so much.
    • View Profile

Well fuck.
Logged
Sentience, Endurance, and Thumbs: The Trifector of a Superpredator.
Yeah, he's a banned spammer. Normally we'd delete this thread too, but people were having too much fun with it by the time we got here.

i2amroy

  • Bay Watcher
  • Cats, ruling the world one dwarf at a time
    • View Profile

Seems like most of the big companies out there are ok though, the checker tool says that steam, amazon, google, github, and paypal all come out clean.
« Last Edit: April 08, 2014, 08:52:25 pm by i2amroy »
Logged
Quote from: PTTG
It would be brutally difficult and probably won't work. In other words, it's absolutely dwarven!
Cataclysm: Dark Days Ahead - A fun zombie survival rougelike that I'm dev-ing for.

Remuthra

  • Bay Watcher
  • I live once more...
    • View Profile

Half tempted to say this is a joke.

Draxis

  • Bay Watcher
    • View Profile

I doubt it - groups like Cisco and TOR were the ones who publicised it, and also I can confirm that over on the Ars Technica thread somebody went and started logging in as people, and editing their passwords into their posts.
Logged

i2amroy

  • Bay Watcher
  • Cats, ruling the world one dwarf at a time
    • View Profile

A little deeper digging shows that the problem isn't quite as widespread as it seems. While Apache and nginx do hold over 66% of the actual number of servers affected seems to be around 17.5% of SSL webservers, some ~.5 million servers.
Logged
Quote from: PTTG
It would be brutally difficult and probably won't work. In other words, it's absolutely dwarven!
Cataclysm: Dark Days Ahead - A fun zombie survival rougelike that I'm dev-ing for.

da_nang

  • Bay Watcher
  • Argonian Overlord
    • View Profile
Logged
"Deliver yesterday, code today, think tomorrow."
Ceterum censeo Unionem Europaeam esse delendam.
Future supplanter of humanity.

scriver

  • Bay Watcher
  • City streets ain't got much pity
    • View Profile

And now please explain for the computer unknowledgeable.
Logged
Love, scriver~

Draxis

  • Bay Watcher
    • View Profile

Basically, it lets people randomly pull large chunks of memory out of any server using a certain version of a common encryption program.  These chunks could contain nothing useful, but commonly contained things like passwords, bank account numbers, or (arguably worst of all) the encryption keys used to verify that a server is the one it says it is.  This means that people could go in and take the information on, not only users and their accounts, but how to impersonate a server and take all the information being passed around "securely" until everybody gets new keys, which takes time and money.  And, it's been active for the last two years or so.
Logged

smjjames

  • Bay Watcher
    • View Profile

Wow, that's one huge bug to go undiscovered for so long. Why do they call it the heartbleed exploit though?
Logged

Draxis

  • Bay Watcher
    • View Profile

Because the problem is in a module called the "TLS Heartbeat".
Logged

Muz

  • Bay Watcher
    • View Profile

Wow, didn't notice this. I guess I really should be changing all my passwords. But I can't really be bothered to remember entirely new passwords and it's not like I have enough bank account money or personal information worth stealing. Such a hard decision.
Logged
Disclaimer: Any sarcasm in my posts will not be mentioned as that would ruin the purpose. It is assumed that the reader is intelligent enough to tell the difference between what is sarcasm and what is not.

fricy

  • Bay Watcher
  • [DFHACK:ZEALOT]
    • View Profile

Please correct me if I'm wrong, but as I understand there's no reason to change passwords (beyond mere paranoia) until the server you use upgrades it's software to patch the hearthbleed. In fact if you log into a vulnerable server you expose your login data to a potential ongoing attack, but of course if an attacker gets admin credentials/server keys/whatever your data is theirs either way...
Major servers are already patched, but smaller ones will take time to fix, so we are basically fscked until further notice. :)

Draxis

  • Bay Watcher
    • View Profile

True.  But, big sites will have been the ones hit first when this came to surface, so the passwords for already-patched ones should probably be changed now anyway to ensure that there isn't a chance of someone stealing your account.

Of course, there's always the chance of someone with the server's SSL pad impersonating that server.  So, maybe don't log on to anything whose SSL certificate was signed before the 7th?  I don't really know how much of a threat that is, but it is certainly a possibility.
Logged

Muz

  • Bay Watcher
    • View Profile

Ok fine. I caved and finally changed my B12 password. For the last 8 years it was "password".
Logged
Disclaimer: Any sarcasm in my posts will not be mentioned as that would ruin the purpose. It is assumed that the reader is intelligent enough to tell the difference between what is sarcasm and what is not.
Pages: [1] 2 3 4