Search forums

Forums

Export thread

Heartbleed

Apr 10, 2014#1

Fun Size

Sorry if this has been covered elsewhere, but should we be changing passwords here as well, or is this not a concern?

http://www.zdnet.com/google-aws-rac...ed-openssl-flaw-but-azure-escapes-7000028281/

Apr 10, 2014#2

Fun Size

Dammit! What if my account is compromised and someone posts an actual opinion instead of a dick joke?

This is unacceptable.

Apr 10, 2014#3

GasBandit

If you're worried about a given site, this website purports to check it for the vulnerability:

http://heartbleedvulnerabilityscan.com/

Apr 10, 2014#4

Dave

*I* can't even see your passwords unless I go into the database. Which I wouldn't because it's too damned much work and I don't care enough.

Apr 10, 2014#5

Fvn Size

Fun Size said:
Dammit! What if my account is compromised

Apr 10, 2014#6

PatrThom

Here is all you really need to know about Heartbleed.
If you use a website where your login is protected by a password, and you have stuff on it that would really matter if it were accessed by someone else, then you should probably change your password.

--Patrick

Apr 10, 2014#7

figmentPez

I guess this is a really good time to finally switch over to using a password manager. Any suggestions on which one to use?

Apr 10, 2014#8

Chad Sexington

PatrThom said:
Here is all you really need to know about Heartbleed.
If you use a website where your login is protected by a password, and you have stuff on it that would really matter if it were accessed by someone else, then you should probably change your password.

--Patrick

Well, you should change your password if the site has patched to the fixed Open SSL. Until then, if it's already compromised, there's no advantage in changing your password; you'll have to again when they do update.[DOUBLEPOST=1397144090,1397143943][/DOUBLEPOST]

figmentPez said:
I guess this is a really good time to finally switch over to using a password manager. Any suggestions on which one to use?

LastPass and 1Password are favourites. Personally I am a fan of LastPass, but my friend is working hard to sell me on 1Password.

And always remember the only thing that is 100% secure from online threats is something that isn't online.[DOUBLEPOST=1397144301][/DOUBLEPOST]I should also note LastPass is free with a $12/yr option; 1Password is 30 trial and then costs $50 one-time to keep using it. I pay the $12/yr with LastPass.

Apr 10, 2014#9

figmentPez

Chad Sexington said:
LastPass and 1Password are favourites. Personally I am a fan of LastPass, but my friend is working hard to sell me on 1Password.

And always remember the only thing that is 100% secure from online threats is something that isn't online.[DOUBLEPOST=1397144301][/DOUBLEPOST]I should also note LastPass is free with a $12/yr option; 1Password is 30 trial and then costs $50 one-time to keep using it. I pay the $12/yr with LastPass.

The 1Password Android app doesn't seem to be very good. It hardly even gets a mention on the website, and has no support documentation that I can find. It might make sense, though, for my parents. Both of them us iPhones, and my mom has a Mac.

LastPass is looking better for me, though, with my Android Phone.

Apr 10, 2014#10

PatrThom

Also, if you're the sort to change your passwords and then keep them in some form of IMAP "notes" field, those notes might be encrypted in transit, but they are not encrypted on the server.
...which means your passwords could potentially be stolen again if your email provider still does not update.

--Patrick

Apr 10, 2014#11

Chad Sexington

PatrThom said:
Also, if you're the sort to change your passwords and then keep them in some form of IMAP "notes" field, those notes might be encrypted in transit, but they are not encrypted on the server.
...which means your passwords could potentially be stolen again if your email provider still does not update.

--Patrick

I believe LastPass counters this by decrypting locally. I might be wrong

Apr 10, 2014#12

PatrThom

Any really good password manager should do that, or at least randomize its memory addresses so that snoopers can't front run that info.
This sort of thing was a real problem with DNS ports a while back.

--Patrick

Apr 10, 2014#13

Dave

I use Lastpass for everything. So saves time.

Apr 10, 2014#14

Emrys

Fun Size said:
Dammit! What if my account is compromised and someone posts an actual opinion instead of a dick joke?

This is unacceptable.

Don't worry. If the message has any depth to it, we'll immediately know it isn't you.

Apr 10, 2014#15

PatrThom

Fun Size said:
a dick joke?

Emrys said:
If [it] has any depth to it, we'll immediately know it isn't you.

--Patrick

Apr 10, 2014#16

PatrThom

Here's a handy (non-exhaustive) reference.
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

--Patrick

Apr 11, 2014#17

Covar

Apr 12, 2014#18

Covar

Since people were wondering about last pass

http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

I'm glad I'm a premium customer with them.

May 5, 2014#19

jwhouk

Uh, I just noticed that I was getting a Heartbleed notification for this place in my Firefox Heartbleed notifier...[DOUBLEPOST=1399298158,1399298000][/DOUBLEPOST]

GasBandit said:
If you're worried about a given site, this website purports to check it for the vulnerability:

http://heartbleedvulnerabilityscan.com/

www.halforums.com is VULNERABLE@

May 5, 2014#20

Dave

Okay, so what do I need to do to fix this? Looking at the Xenforo page right now and it looks like an OpenSSL issue. Which means little to nothing to me right now.

May 5, 2014#21

Covar

Dave heartbleed affects https connections, which you don't have setup with the site.

But if you wanted to patch things because:

Update the OpenSSL libaries on your server to the patched version
Revoke any existing certificates you have
Generate new certificates
Force everyone to reset their passwords.

I agree with stienman's original post in this thread there's no big need for you to do anything.

May 5, 2014#22

Dave

Cool. Nothing is what Daves do best!

May 5, 2014#23

jwhouk

It •looked• like it might have been Shoutbox related.

May 8, 2014#24

jwhouk

I'm still getting the notification when I log in via FF.

May 9, 2014#25

jwhouk

Every time I've put the website's URL in on that link Gas provided, it comes up that the site is vulnerable - but it spits out a bunch of garbage code.

May 13, 2014#26

jwhouk

Still getting the Heartbleed vulnerability notification.

May 13, 2014#27

Dave

There's literally nothing I can do about it and it's a false positive as we don't use https.

May 14, 2014#28

jwhouk

Yeah, the gibberish that it comes back with for the site when I plug it in to the URL listed by Gas is... um, interesting.

And rather obviously not ours.

Dec 1, 2014#29

PatrThom

stienman said:
Halforums doesn't use SSL, so all your passwords are already snoopable by anyone between your computer and the halforums server.

So apparently we're now protected by SSL (according to my browser).
Was this what necessitated the server move? If so, I approve.

--Patrick

Dec 3, 2014#30

Dave

The host contacted me and said, "Hey, I just got in a bunch of SSL certificates. Want one?" I said, "Sure!"

And here we are.

Forums