Security announcement: the Heartbleed vulnerability

[bmn]

So, you may or may not have seen mutterings about Heartbleed around the Interweb. It's a bug that's caused major security worries since it was discovered a few days ago (I've heard it called the biggest issue since the discovery of SQL injection around '98). There's some nice roundups around, but I thought I'd provide a little info and advice about it for you guys here.

 

What it is and how it works

Heartbleed is a bug in some versions of OpenSSL, the software that most servers use to provide secure connections to websites (where you see "https://" instead of "http://", and all the data sent between you and the server is encrypted). By sending a bad request to a vulnerable server, an attacker can receive back 64KB of random data from the server's current memory. This random data could include sensitive data that has already been decrypted (passwords sent when you log in, bank details when paying for stuff), or even the server's master encryption key. The latter would allow the attacker to much more easily eavesdrop or modify data sent over the Internet using man-in-the-middle, or potentially masquerade as another site as part of a separate attack.

 

The risk

The bug was present in OpenSSL for about 2 years, and only recently fixed. Because of the way software is handled on many servers, many will by "up to date", but still have a vulnerable version. Also, to be considered safe, all fixed servers will need to generate a new master encryption key (in case the existing one was found out through the vulnerability). That's a hassle that some may not bother, or be able, to take.

 

About 17% of secure servers are thought to have been affected by Heartbleed, and it's thought that hackers were exploiting it for about 5 months. If you logged into Yahoo!, Imgur, Flickr, Steam's website, or any number of other sites in that time, some of your data may have been taken without your knowledge.

 

What it means for you and us

None of our services use secure connections, so this specific issue does not affect your visits to TSS or SSMB. You're still vulnerable to man-in-the-middle attacks, but, well, that's the case for every non-secure connection on the Internet, and has been for a very long time. If you have the same username and password here as anywhere that has been affected, there's a chance that someone could get into your SSMB account as a result.

 

More importantly, if you use the same password on multiple sites, such as your email account or other sensitive accounts, those accounts could be at risk. If an attacker has found out your password for one of them in the last 5 months, they could potentially have access to all of them. It's recommended that you change your password for any account you're concerned about, and try not to use the same password for all of them. You may find a password manager useful for keeping track of different passwords.

 

The recommendations for website users like yourselves are more precautionary than anything else. There's no directed threat towards individual people, but there is a chance of you essentially getting caught in the crossfire. So, I wouldn't go into a panic, but at the same time it's a very good excuse to take a look at your security.

 

 

If there are any questions or anything you're unsure about, you can post them here, and I'm sure I or other tech-savvy people will try to help.

[KrazyBean]

Yeah, this is VERY worrying indeed. They said that you should not change you passwords UNTIL each of the websites you use have updated their security protocol. If you change your password now, you'll still be at risk anyway.

[MamboCat]

*removed as unhelpful, sorry guys*

[Frogging101]

You can check any website for vulnerability with this. Most major services have already fixed the problem, and some services (such as Google services) patched it before the exploit was widely disclosed (as they were among those responsible for discovering and exposing it).

[Tara]

I was relieved to find that Amazon is not vulnerable to this, but then I remembered that I use a Yahoo email for that account.  Should I be worried about that?

[Jin.]

Paypal is not vulnerable. Saved me a heartattack.

[Junko]

Another website for you to cross-reference with the others: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

[Zaysho]

It's just as well I was on a kick to change/update a lot of my passwords after all the stuff that's happened with places like comiXology and Kickstarter. Someone trying to get into my G-Mail was the last straw, but thankfully a lot of the sites I use appear to not be affected by this. I can't be sure of them all, but most of them are.

 

Thanks for the heads up, bmn.

 

 

I was relieved to find that Amazon is not vulnerable to this, but then I remembered that I use a Yahoo email for that account.  Should I be worried about that?

 

It might depend on what information could be stored on there. If you have a separate, non-Yahoo account, it might not be a bad idea to associate that one with Amazon for now though. That said, it appears Yahoo is working to fix it, according to the article Apollo Justice just posted.

[Da Blu Hedgie]

I was relieved to find that Amazon is not vulnerable to this, but then I remembered that I use a Yahoo email for that account.  Should I be worried about that?

I just checked and yahoo is unaffected, most of the affected sites are more like torrent, free media, and a few blog type sites, nothing known though, well maybe imgar, but pretty much no well known websites are affected.

[Frogging101]

Paypal is not vulnerable. Saved me a heartattack.

I was relieved to find that Amazon is not vulnerable to this, but then I remembered that I use a Yahoo email for that account.  Should I be worried about that?

I just checked and yahoo is unaffected, most of the affected sites are more like torrent, free media, and a few blog type sites, nothing known though, well maybe imgar, but pretty much no well known websites are affected.

This is important, so please read carefully. Just because it is not vulnerable now does not mean it was not vulnerable in the past¹. If PayPal or any other service was using an affected version of OpenSSL (Which was any version released between March 14 2012 and April 7 2014) then it was vulnerable and it is possible that their private key(s) used during that time were compromised.

If a private key is obtained then any past or future communication using that key can be decrypted with it. This means that if someone intercepts an encrypted packet containing your password, then they can decrypt it if they have the private key used to encrypt it.

It is a very good idea to change your password on any important service that uses SSL encryption, provided that it is no longer vulnerable at this time.

¹Most of the big websites are fine now because they applied the security patch released on April 7 2014.

Edited April 10, 2014 by Frogging101

[Da Blu Hedgie]

This is important, so please read carefully. Just because it is not vulnerable now does not mean it was not vulnerable in the past¹. If PayPal or any other service was using an affected version of OpenSSL (Which was any version released between March 14 2012 and April 7 2014) then it was vulnerable and it is possible that their private key(s) used during that time were compromised.

If a private key is obtained then any past or future communication using that key can be decrypted with it. This means that if someone intercepts an encrypted packet containing your password, then they can decrypt it if they have the private key used to encrypt it.

It is a very good idea to change your password on any important service that uses SSL encryption, provided that it is no longer vulnerable at this time.

¹Most of the big websites are fine now because they applied the security patch released on April 7 2014.

Well I did get a message awhile back to change my password for my yahoo work mail, actually come to think of it it was around this period...yeah I'll go change my other one too and maybe my gmail (even though it was unaffected).

[bmn]

Frogging's got it down, yeah. The lists of top sites (such as the top 10000 posted above) were audited about a day after the vulnerability became widely known. A lot of the sites listed as not vulnerable will have been affected previously, and fixed their stuff up before the audit. Unfortunately, you can't be sure how long that was ago, unless there's a public announcement by the people running the site. Any OpenSSL service from the last 5 months could have been hit.

 

Basically, if it says vulnerable now, then your communication right now is at risk. If it was vulnerable in the past, then anything you sent or received previously could've been seen.

 

I was relieved to find that Amazon is not vulnerable to this, but then I remembered that I use a Yahoo email for that account.  Should I be worried about that?

If you had secure communications with Yahoo!, such as logging into or reading your email, then those communications could have been affected. Logging into another site such as Amazon using that address, won't do that though (the email address in this case is just a username, and isn't actually linked to the address itself).

 

Some sites, such as Facebook and Twitter, allow you to log into other sites using your FB/Twitter account. In this case, logging in on the other site does result in that sort of communication. So, if FB/Twitter was vulnerable, the act of logging in on the other site could potentially have been eavesdropped on. Otherwise, the only risk would really be with the site you're actually using.

[Zaysho]

This is important, so please read carefully. Just because it is not vulnerable now does not mean it was not vulnerable in the past¹. If PayPal or any other service was using an affected version of OpenSSL (Which was any version released between March 14 2012 and April 7 2014) then it was vulnerable and it is possible that their private key(s) used during that time were compromised.

If a private key is obtained then any past or future communication using that key can be decrypted with it. This means that if someone intercepts an encrypted packet containing your password, then they can decrypt it if they have the private key used to encrypt it.

It is a very good idea to change your password on any important service that uses SSL encryption, provided that it is no longer vulnerable at this time.

¹Most of the big websites are fine now because they applied the security patch released on April 7 2014.

 

 

So, if I'm understanding correctly, if I changed my passwords about two weeks or so ago, which was before we'd heard about Heartbleed (and around the time I had to change my G-Mail's password), should I probably go change them again as a precaution?

[bmn]

Changing them the first time certainly reduced your chances of getting caught out. Think of this as a two week period where something potentially could have happened - it's unlikely, but possible. I'd probably say change the stuff you really care about keeping safe.

[Zaysho]

Point taken. I suppose I will go back and change my e-mail again and alter one or two others (facebook and tumblr were changed last night, so I'm not concerned about those). Thanks!

[Solkia]

Yeah, I've got a question.

 

How does such a mainstream security program let this slip for 2 years and not notice?

 

I'm not too worried honestly, I'd think the assholes who took my stuff would have messed with me by now.

 

Does Skype use OpenSSL?

[bmn]

I'd imagine Skype uses IIS, being owned by Microsoft and all, but worth a look.

 

Skype's site uses SSL of some kind, but I don't know what. As far as I know SSL isn't used in the app itself as both the client and server do their own encryption.

[Solkia]

http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

 

This is a list of sites that have been patched and sites that were never vulnerable to begin with.

 

Paypal and Ebay were never affected by the bug, so you don't need to worry about those.

[Jix Hedgehog]

X

Edited August 15, 2015 by Jix Hedgehog

[Solkia]

Yeah, I've got a question.

 

How does such a mainstream security program let this slip for 2 years and not notice?

 

I'm not too worried honestly, I'd think the assholes who took my stuff would have messed with me by now.

 

Does Skype use OpenSSL?

 

Microsoft's blog says that it uses OpenSSL, but their thorough review of it determined it was unaffected.

 

Well, that's basically every site I use that was unaffected. I'm going to shut down my PC rather than leave it in idle all night.

[Milo]

Someone took some snapshots of the list of sites (not) affected (from the c|net website) on tumblr, decided to repost here. Worth noting that more sites has been added at the main site since this was posted though, check the link source for more sites.

 

[Da Blu Hedgie]

Whelp, check your andoid phones too.

https://www.yahoo.com/tech/millions-of-android-phones-could-be-affected-by-the-82689357381.html

 

My motorola atrix 2 is completely safe. It's running 4.4.1 (ICS)

 

My HTC one m8 however:

https://lh6.ggpht.com/5JUx_9CxQLx_TOA5pYhnwZdPS-1QEIMjRje_pvFwmvFiLo9IqCV6OgTGUd2LbXuMJGk=h310

Is vulnerable despite running the latest version of android 4.4.2 kitkit.

[Badnik Mechanic]

PSA: Gearbox's shift service was affected.

 

If anyone has borderlands 2, odds are you signed upto shift.

[Kaze no Klonoa]

PSA: Gearbox's shift service was affected.

 

If anyone has borderlands 2, odds are you signed upto shift.

Wait, What? Oh, so that's why they sent me that email days ago. Should I change it again?