Jump to content
bmn

Security announcement: the Heartbleed vulnerability

Recommended Posts

Yeah, this is VERY worrying indeed. They said that you should not change you passwords UNTIL each of the websites you use have updated their security protocol. If you change your password now, you'll still be at risk anyway.

Share this post


Link to post
Share on other sites

You can check any website for vulnerability with this. Most major services have already fixed the problem, and some services (such as Google services) patched it before the exploit was widely disclosed (as they were among those responsible for discovering and exposing it).

Share this post


Link to post
Share on other sites

I was relieved to find that Amazon is not vulnerable to this, but then I remembered that I use a Yahoo email for that account.  Should I be worried about that?

Share this post


Link to post
Share on other sites

It's just as well I was on a kick to change/update a lot of my passwords after all the stuff that's happened with places like comiXology and Kickstarter. Someone trying to get into my G-Mail was the last straw, but thankfully a lot of the sites I use appear to not be affected by this. I can't be sure of them all, but most of them are.

 

Thanks for the heads up, bmn.

 

 

I was relieved to find that Amazon is not vulnerable to this, but then I remembered that I use a Yahoo email for that account.  Should I be worried about that?

 

It might depend on what information could be stored on there. If you have a separate, non-Yahoo account, it might not be a bad idea to associate that one with Amazon for now though. That said, it appears Yahoo is working to fix it, according to the article Apollo Justice just posted.

Share this post


Link to post
Share on other sites

I was relieved to find that Amazon is not vulnerable to this, but then I remembered that I use a Yahoo email for that account.  Should I be worried about that?

I just checked and yahoo is unaffected, most of the affected sites are more like torrent, free media, and a few blog type sites, nothing known though, well maybe imgar, but pretty much no well known websites are affected.

Share this post


Link to post
Share on other sites

Paypal is not vulnerable. Saved me a heartattack.

I was relieved to find that Amazon is not vulnerable to this, but then I remembered that I use a Yahoo email for that account.  Should I be worried about that?

I just checked and yahoo is unaffected, most of the affected sites are more like torrent, free media, and a few blog type sites, nothing known though, well maybe imgar, but pretty much no well known websites are affected.

This is important, so please read carefully. Just because it is not vulnerable now does not mean it was not vulnerable in the past1. If PayPal or any other service was using an affected version of OpenSSL (Which was any version released between March 14 2012 and April 7 2014) then it was vulnerable and it is possible that their private key(s) used during that time were compromised.

If a private key is obtained then any past or future communication using that key can be decrypted with it. This means that if someone intercepts an encrypted packet containing your password, then they can decrypt it if they have the private key used to encrypt it.

It is a very good idea to change your password on any important service that uses SSL encryption, provided that it is no longer vulnerable at this time.

1Most of the big websites are fine now because they applied the security patch released on April 7 2014.

Edited by Frogging101

Share this post


Link to post
Share on other sites

This is important, so please read carefully. Just because it is not vulnerable now does not mean it was not vulnerable in the past1. If PayPal or any other service was using an affected version of OpenSSL (Which was any version released between March 14 2012 and April 7 2014) then it was vulnerable and it is possible that their private key(s) used during that time were compromised.

If a private key is obtained then any past or future communication using that key can be decrypted with it. This means that if someone intercepts an encrypted packet containing your password, then they can decrypt it if they have the private key used to encrypt it.

It is a very good idea to change your password on any important service that uses SSL encryption, provided that it is no longer vulnerable at this time.

1Most of the big websites are fine now because they applied the security patch released on April 7 2014.

Well I did get a message awhile back to change my password for my yahoo work mail, actually come to think of it it was around this period...yeah I'll go change my other one too and maybe my gmail (even though it was unaffected).

Share this post


Link to post
Share on other sites

Frogging's got it down, yeah. The lists of top sites (such as the top 10000 posted above) were audited about a day after the vulnerability became widely known. A lot of the sites listed as not vulnerable will have been affected previously, and fixed their stuff up before the audit. Unfortunately, you can't be sure how long that was ago, unless there's a public announcement by the people running the site. Any OpenSSL service from the last 5 months could have been hit.

 

Basically, if it says vulnerable now, then your communication right now is at risk. If it was vulnerable in the past, then anything you sent or received previously could've been seen.

 

I was relieved to find that Amazon is not vulnerable to this, but then I remembered that I use a Yahoo email for that account.  Should I be worried about that?

If you had secure communications with Yahoo!, such as logging into or reading your email, then those communications could have been affected. Logging into another site such as Amazon using that address, won't do that though (the email address in this case is just a username, and isn't actually linked to the address itself).

 

Some sites, such as Facebook and Twitter, allow you to log into other sites using your FB/Twitter account. In this case, logging in on the other site does result in that sort of communication. So, if FB/Twitter was vulnerable, the act of logging in on the other site could potentially have been eavesdropped on. Otherwise, the only risk would really be with the site you're actually using.

Share this post


Link to post
Share on other sites

This is important, so please read carefully. Just because it is not vulnerable now does not mean it was not vulnerable in the past1. If PayPal or any other service was using an affected version of OpenSSL (Which was any version released between March 14 2012 and April 7 2014) then it was vulnerable and it is possible that their private key(s) used during that time were compromised.

If a private key is obtained then any past or future communication using that key can be decrypted with it. This means that if someone intercepts an encrypted packet containing your password, then they can decrypt it if they have the private key used to encrypt it.

It is a very good idea to change your password on any important service that uses SSL encryption, provided that it is no longer vulnerable at this time.

1Most of the big websites are fine now because they applied the security patch released on April 7 2014.

 

 

So, if I'm understanding correctly, if I changed my passwords about two weeks or so ago, which was before we'd heard about Heartbleed (and around the time I had to change my G-Mail's password), should I probably go change them again as a precaution?

Share this post


Link to post
Share on other sites

Changing them the first time certainly reduced your chances of getting caught out. Think of this as a two week period where something potentially could have happened - it's unlikely, but possible. I'd probably say change the stuff you really care about keeping safe.

Share this post


Link to post
Share on other sites

Point taken. I suppose I will go back and change my e-mail again and alter one or two others (facebook and tumblr were changed last night, so I'm not concerned about those). Thanks!

Share this post


Link to post
Share on other sites

Yeah, I've got a question.

 

How does such a mainstream security program let this slip for 2 years and not notice?

 

I'm not too worried honestly, I'd think the assholes who took my stuff would have messed with me by now.

 

Does Skype use OpenSSL?

Share this post


Link to post
Share on other sites

I'd imagine Skype uses IIS, being owned by Microsoft and all, but worth a look.

 

Skype's site uses SSL of some kind, but I don't know what. As far as I know SSL isn't used in the app itself as both the client and server do their own encryption.

Share this post


Link to post
Share on other sites

Yeah, I've got a question.

 

How does such a mainstream security program let this slip for 2 years and not notice?

 

I'm not too worried honestly, I'd think the assholes who took my stuff would have messed with me by now.

 

Does Skype use OpenSSL?

 

Microsoft's blog says that it uses OpenSSL, but their thorough review of it determined it was unaffected.

 

Well, that's basically every site I use that was unaffected. I'm going to shut down my PC rather than leave it in idle all night.

Share this post


Link to post
Share on other sites

Whelp, check your andoid phones too.

https://www.yahoo.com/tech/millions-of-android-phones-could-be-affected-by-the-82689357381.html

 

My motorola atrix 2 is completely safe. It's running 4.4.1 (ICS)

 

My HTC one m8 however:

https://lh6.ggpht.com/5JUx_9CxQLx_TOA5pYhnwZdPS-1QEIMjRje_pvFwmvFiLo9IqCV6OgTGUd2LbXuMJGk=h310

Is vulnerable despite running the latest version of android 4.4.2 kitkit.

Share this post


Link to post
Share on other sites

PSA: Gearbox's shift service was affected.

 

If anyone has borderlands 2, odds are you signed upto shift.

Wait, What? Oh, so that's why they sent me that email days ago. Should I change it again?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

You must read and accept our Terms of Use and Privacy Policy to continue using this website. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.