[Question] Heartbleed

Dammit! What if my account is compromised and someone posts an actual opinion instead of a dick joke?

This is unacceptable.
 

Dave

Staff member
*I* can't even see your passwords unless I go into the database. Which I wouldn't because it's too damned much work and I don't care enough.
 
Here is all you really need to know about Heartbleed.
If you use a website where your login is protected by a password, and you have stuff on it that would really matter if it were accessed by someone else, then you should probably change your password.

--Patrick
 

figmentPez

Staff member
I guess this is a really good time to finally switch over to using a password manager. Any suggestions on which one to use?
 
Here is all you really need to know about Heartbleed.
If you use a website where your login is protected by a password, and you have stuff on it that would really matter if it were accessed by someone else, then you should probably change your password.

--Patrick
Well, you should change your password if the site has patched to the fixed Open SSL. Until then, if it's already compromised, there's no advantage in changing your password; you'll have to again when they do update.[DOUBLEPOST=1397144090,1397143943][/DOUBLEPOST]
I guess this is a really good time to finally switch over to using a password manager. Any suggestions on which one to use?
LastPass and 1Password are favourites. Personally I am a fan of LastPass, but my friend is working hard to sell me on 1Password.

And always remember the only thing that is 100% secure from online threats is something that isn't online.[DOUBLEPOST=1397144301][/DOUBLEPOST]I should also note LastPass is free with a $12/yr option; 1Password is 30 trial and then costs $50 one-time to keep using it. I pay the $12/yr with LastPass.
 

figmentPez

Staff member
LastPass and 1Password are favourites. Personally I am a fan of LastPass, but my friend is working hard to sell me on 1Password.

And always remember the only thing that is 100% secure from online threats is something that isn't online.[DOUBLEPOST=1397144301][/DOUBLEPOST]I should also note LastPass is free with a $12/yr option; 1Password is 30 trial and then costs $50 one-time to keep using it. I pay the $12/yr with LastPass.
The 1Password Android app doesn't seem to be very good. It hardly even gets a mention on the website, and has no support documentation that I can find. It might make sense, though, for my parents. Both of them us iPhones, and my mom has a Mac.

LastPass is looking better for me, though, with my Android Phone.
 
Also, if you're the sort to change your passwords and then keep them in some form of IMAP "notes" field, those notes might be encrypted in transit, but they are not encrypted on the server.
...which means your passwords could potentially be stolen again if your email provider still does not update.

--Patrick
 
Also, if you're the sort to change your passwords and then keep them in some form of IMAP "notes" field, those notes might be encrypted in transit, but they are not encrypted on the server.
...which means your passwords could potentially be stolen again if your email provider still does not update.

--Patrick
I believe LastPass counters this by decrypting locally. I might be wrong
 

Dave

Staff member
Okay, so what do I need to do to fix this? Looking at the Xenforo page right now and it looks like an OpenSSL issue. Which means little to nothing to me right now.
 
Dave heartbleed affects https connections, which you don't have setup with the site.

But if you wanted to patch things because:
  1. Update the OpenSSL libaries on your server to the patched version
  2. Revoke any existing certificates you have
  3. Generate new certificates
  4. Force everyone to reset their passwords.
I agree with stienman's original post in this thread there's no big need for you to do anything.
 
Every time I've put the website's URL in on that link Gas provided, it comes up that the site is vulnerable - but it spits out a bunch of garbage code.
 

Dave

Staff member
There's literally nothing I can do about it and it's a false positive as we don't use https.
 
Yeah, the gibberish that it comes back with for the site when I plug it in to the URL listed by Gas is... um, interesting.

And rather obviously not ours.
 
Halforums doesn't use SSL, so all your passwords are already snoopable by anyone between your computer and the halforums server.
So apparently we're now protected by SSL (according to my browser).
Was this what necessitated the server move? If so, I approve.

--Patrick
 
Top