URGENT! Heartbleed Bug

[DeviantProtagonist]

heartbleed.com



For it not being posted in Project Im@s, I'll leave this here just to make sure everyone's clued in on the circumstances. There's a major security hole that's been around for two years tops, affecting two thirds of the internet due to services that run on OpenSSL. This is very liable to exposing personal information such as passwords, cookies and even credit card numbers. Overall, it is imperative that you change your passwords on important things immediately. To help guide your way, here's a list of major websites that were either hit or missed the bullet.

[MetalPredat0r]

heartbleed.com



For it not being posted in Project Im@s, I'll leave this here just to make sure everyone's clued in on the circumstances. There's a major security hole that's been around for two years tops, affecting two thirds of the internet due to services that run on OpenSSL. This is very liable to exposing personal information such as passwords, cookies and even credit card numbers. Overall, it is imperative that you change your passwords on important things immediately. To help guide your way, here's a list of major websites that were either hit or missed the bullet.

Thank you for this! I changed my passwords to prevent this! You are great for posting about this.

[DeviantProtagonist]

Glad to help there. The fact a company like Google got affected by this does help convey the extent of this situation.

[altuixde]

Note that you shouldn't change your password on, or even log in to, sites that are vulnerable which haven't been patched yet. Fortunately, it looks like most companies patched the vulnerability pretty fast. It's safe to (and necessary that you) change your passwords for sites with a green check mark in the link that Dean provided. However that isn't an exhaustive list—there may be other sites that you need to change your password on. If you receive a legitimate email asking you to change your password for a site, then you should do so. Oddly, I've only received one email warning about heartbleed, and that was from the fastmail.fm email service.

Edit: Twitter doesn't have a green check mark in the list, but they did apply a patch so it's safe to log in and change your password there.

[JNiles]

Just noticed a suspicious and HUGE transaction on my credit card... some bastard ordered up a gigantic cash advance on it.  I reported the fraud and closed the account.  The timing is right around the time of the Heartbleed announcement... but I only just saw my bill just now.  Anyway, changing passwords starting with the most important ones. -_-;;;;

[altuixde]

Here's a way to test if a site is vulnerable to the Heartbleed bug:

http://safeweb.norton.com/heartbleed

Every site that I've checked has passed the test, but it can't hurt to check anyway. I test sites before making transactions at new online stores, or accessing important accounts that I haven't accessed since the Heartbleed bug made headlines.

Slightly off-topic, but how is the login information for our project-imas accounts protected? I wouldn't lose any money if my forum account were taken over, but still I wouldn't want anyone pretending to me on this forum or any forum.

[Yunabeco]

The kind you'd find on any forum: protected by salted hashes in a database. Not that it really matters when Heartbleed comes in.
We don't have SSL (connection isn't encrypted), so it could be ironically said we've been safe from Heartbleed, but we're on shared hosting : others sites on the same server as us probably do have SSL, but the probability of an SSL attack hitting project-imas.com is not only insanely low, it's also pretty damn hard when you see data from a shared server to see from which site on it it comes from. I pinged the host, who said we're safe where we are.

I'm not exactly worried about it when it comes to project-imas.com, but I've changed most of my passwords just in case. And so should you.

[altuixde]

Thanks for the info!

However, since we don't have SSL, doesn't that mean that our passwords can be seen by internet companies in the route between us and project-imas? In fact, I think that all the forums I visit most frequently don't have SSL. I'm not really worried about this, because they're just forum accounts, but I'm curious why SSL isn't used. If passwords and nothing else were encrypted en route, I think that would be a significant increase in security.

[Yunabeco]

That's correct; when encryption isn't used, credentials are clearly visible for anybody who plugs itself between you and the server. This includes ISPs.

The reason SSL isn't used everywhere is rather simple; SSL certificates, by which I mean trusted SSL certificates, cost money, and require proper registration to be able to pinpoint exactly who uses what certificate.

It's possible to roll your own, personal, free certificate by signing it yourself, but this one obviously wouldn't be approved by the authorities your computer/browser knows. The browser would (rightfully) warn you that this site uses security, but cannot warrant its safety, which somewhat defeats the point ; in this case, the ISP could just replace the untrusted certificate by another untrusted one.

The current host requires all certificates to be set through its platform (after paying, of course), so unfortunately, I can't roll a free one. 

[altuixde]

Thanks (again) for the info!