Major security problem

Topic

New Reply

See http://www.bbc.co.uk/news/technology-26954540

Should we now change all our passwords as suggested? I’m surprised this hasn’t been mentioned on the lounge before.

Eliminate spare time: start programming PowerShell

Reply | Quote

Replies

Only a problem if your software uses OpenSSL. If you are running an Apache web server, or email encryption you may be vulnerable, but I don’t know of any typical user programs that use it.

Web servers where you have an account may be vulnerable, but not if they use a decent back end for authentication.

This Krebs article may be more informative.

cheers, Paul

[Edit] Windows Secrets seems to be safe according to my testing.

Reply | Quote

What is interesting is that the bug has been in existence for 2 years.

Also interesting that the thinkbroadband site doesn’t deem it newsworthy yet.

There is a Forum Discussion on the TBB site but there doesn’t seem to be too much concern.

Reply | Quote

There is a tool to check a website for vulnerabilities. Check the most relevant sites you use, where your password being broken would be critical, like online banking and similar. I did check Paypal and it is safe :).

Here is the tool: http://filippo.io/Heartbleed/

Reply | Quote

My bank uses a card reader to generate a number which I use to login with. This changes each time I use it, so I assume that this precludes any problems with the bug as no password is used.

I also use Thunderbird to login to Yahoo, is that compromised as well?

Rui, it may be that a site is safe now, but was it safe (as Browni says, it’s been around for two years). What we need is some openness from all sites about whether they have been affected and if they’ve updated their software. Only then can we be sure whether or not our passwords have been compromised. I’m not holding my breath.

Eliminate spare time: start programming PowerShell

Reply | Quote

I would still change passwords on sites where I would not like my passwords to be known and monitor any movements, purchases, etc, for the near future. One of the risks here is that the private keys were compromised, requiring the issuing of new certificates to avoid any future problems. This basically means you need to be very careful about what happens in relevant sites you use where the vulnerability was present. Of course, if you don’t know, just keep tabs on movements and purchases in the key sites you use.

Reply | Quote

This basically means you need to be very careful about what happens in relevant sites you use where the vulnerability was present.

As this vulnerability has been around for 2 years I am starting to get nervous…

Reply | Quote

As this vulnerability has been around for 2 years I am starting to get nervous…

I think there is no big reason for that. Has anything happened with your accounts? Strange movements, unexplained events? If not, there is no reason to become overly nervous, though you should monitor what goes on in your most important sites.

Reply | Quote

The vulnerability does not automatically lead to your passwords being discovered, just the possibility, and that is still difficult to do because an attacker would either need to intercept your data, or capture the information from the web site computer at the very moment you logon. The biggest issue is that SSL certificates on affected sites are no longer private because the keys can be stolen, but that still requires a very sophisticated attack to gain your passwords.

The biggest risk to your passwords is still malware on your computer.

cheers, Paul

Reply | Quote

Does anyone have a list of sites that are “vulnerable”? Wading thru the long list that shows “no ssl” and “not vulnerable” takes a while.

Does anyone think that “vulnerable” sites will notify users when they have been fixed??? Otherwise what good will changing passwords do.

Reply | Quote

You really need to rely on sites notifying registered users if they (the site) think there is a problem – and what ruirib said in #6.

cheers, Paul

Reply | Quote

https://lastpass.com/heartbleed/

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote