Jump to content
Manx Forums - A Discussion Board & Classifieds for the Isle of Man

The Heartbleed Hit List: The Passwords You Need to Change Right Now

Truth Seeker

Recommended Posts

Truth Seeker Newbie

Truth Seeker

Posted
Posted

The Heartbleed Bug affects web sites that use OpenSSL software to encrypt internet data on their servers. Just to confuse us SSL is now called TLS, but how can we protect ourselves if passwords have been hacked. The chances of this are small, but mashable.com have made a list of affected sites, and have a helpful video explaining this bug. BTW Manx Forums does not seem to use Secure Logins on its site, so if you see a post from Thomas Jefferson telling us to trust government because it's doing a great job, it's probably fake.

 

The Heartbleed Hit List: The Passwords You Need to Change Right Now. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Link to comment
Share on other sites
Slim Newbie

Slim

Posted
Posted

It shouldn't affect too many people, as I am sure you all use the likes of lastpast and have a unique password for every website you have....

And most people will be connecting using sessions rather than passwords. When's the last time anyone entered their passy into mf?
Link to comment
Share on other sites
Truth Seeker Newbie

Truth Seeker

Posted
  • Author
Posted

 

 

 

 

It shouldn't affect too many people, as I am sure you all use the likes of lastpast and have a unique password for every website you have....

And most people will be connecting using sessions rather than passwords. When's the last time anyone entered their passy into mf?

Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most.

 

 

Heartbleed vulnerable websites on the Alexa top 10000 https://gist.github.com/dberkholz/10169691

Link to comment
Share on other sites
devil Newbie

devil

Posted
Posted

 

 

 

 

 

It shouldn't affect too many people, as I am sure you all use the likes of lastpast and have a unique password for every website you have....

And most people will be connecting using sessions rather than passwords. When's the last time anyone entered their passy into mf?

Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most.

 

 

Heartbleed vulnerable websites on the Alexa top 10000 https://gist.github.com/dberkholz/10169691

 

Slim, I login every time funnily enough! lol

 

Correct, although the passwords are partially encrypted with a php algorithm usually, so they still need decrypting.

 

Thanks

Tony

Link to comment
Share on other sites
Slim Newbie

Slim

Posted
Posted

Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most.

That's correct, if there's no certificate, the login is plain text.
Link to comment
Share on other sites
pongo Rising Star

pongo

Posted
Posted

Affected sites are being advised to revoke existing SSL certificates and issue new. Since existing certificates can potentially be decrypted from previously logged traffic. i.e. even after the fix.

 

But many users do not have their OS / browsers set up to check for revoked certificates anyhow.

Link to comment
Share on other sites
Truth Seeker Newbie

Truth Seeker

Posted
  • Author
Posted

 

 

Slim am I right in saying Manx Forums has no SSL or TLS? So all logins and posts are not encrypted on here. You seem to know more about this stuff than most.

That's correct, if there's no certificate, the login is plain text.

Ok thanks for the clarification, not much point in changing the Manx Forums password then.

Link to comment
Share on other sites
Slim Newbie

Slim

Posted
Posted

Ok thanks for the clarification, not much point in changing the Manx Forums password then.

 

If it's web server was vulnernerable to heartbleed there would still be a need. Sniffing http isn't trivial, you still need to be able to sniff the connection somehow where heartbleed allows anyone to get 64k out of the server which might contain your passwords or sessions.

Link to comment
Share on other sites
Truth Seeker Newbie

Truth Seeker

Posted
  • Author
Posted

Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bug

 

"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed. The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach."

 

http://www.cra-arc.gc.ca/gncy/sttmnt2-eng.html

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...