Heartbleed (bug)

Discuss everything else here

Moderator: ArcWolf

Post Reply
User avatar
RatHead
Posts: 575
Joined: Wed Nov 13, 2013 2:17 am
Location: my head, my computer, or outside.
Contact:

Heartbleed (bug)

Post by RatHead »

Hey guys, and Mods, there's a new bug out on the internet called Heartbleed Heartbleed bug, and it is affecting passwords and such. I checked on LastPasses' Heartbleed checker, and it couldn't find this site's SSL certificate: https://lastpass.com/heartbleed/?h=housepetscomic.com I was wondering If HP!'s SSL certificate is safe, and I like posting and coming here, and I do it everyday, but if it is not safe I will not post here, also, If it is not safe, I will have to change my password when I DO come back.
Also, I suggest that all of you fellow forumites change your passwords as well if the SSL certificate is deemed unsafe.
Thank you.
RatHead.
Avatar by 18gingasoldier!

Image
HP! Messenger
Image
Limp-in around eatin a dirty rubber Bizkit
Image
Tatsuo
Posts: 401
Joined: Sat May 18, 2013 3:38 am

Re: Heartbleed (bug)

Post by Tatsuo »

Ehh :shock: .....From a bit of research... this is pretty bad. Like REALLY bad. Found a vid

http://www.youtube.com/watch?v=QjKUdMVRzJw


This goes beyond housepets. Thanks, Rathead for showing this. Didn't know about this. Problem is though, there's not really much we can do if in fact someone found out about this before anyone else did.
We assume so much, and know so little...
“Don't walk behind me; I may not lead. Don't walk in front of me; I may not follow. Just walk beside me and be my friend." - Albert Camus.
User avatar
Obbl
Smiley McSmiles
Posts: 3231
Joined: Tue Apr 27, 2010 1:56 pm
Location: The Housepets Forum ^^

Re: Heartbleed (bug)

Post by Obbl »

Housepets! forums does not use an encrypted connection. This is common with many forums, as security of information is less of an issue and certificates add to the overhead of server costs. This has an interesting advantage of not being vulnerable to the Heartbleed bug, but it is still an insecure connection. It makes a good argument for why you should keep separate passwords for separate sites.

On the topic of Heartbleed, yes, this is a very bad bug in the code that you should pay attention to, as it likely affects you.
Here is a site that has a nice list of common websites that you might be concerned about.
Here is a site for checking other websites you frequently login to. (Note that the Housepets! site gives you an "Uh-oh something went wrong" and tells you the connection was refused. This is because Housepets! does not have the option for https connection.)

As a note, if the website is still vulnerable (i.e. they have not implemented the patch), there is nothing you can do at the moment except wait for them to update their servers and renew their security certificate. If they were vulnerable and now have patched it, you should change your password in case it was uncovered before the patch was implemented.
Image
User avatar
RatHead
Posts: 575
Joined: Wed Nov 13, 2013 2:17 am
Location: my head, my computer, or outside.
Contact:

Re: Heartbleed (bug)

Post by RatHead »

Tatsuo wrote:Ehh :shock: .....From a bit of research... this is pretty bad. Like REALLY bad. Found a vid

http://www.youtube.com/watch?v=QjKUdMVRzJw


This goes beyond housepets. Thanks, Rathead for showing this. Didn't know about this. Problem is though, there's not really much we can do if in fact someone found out about this before anyone else did.
Yeah, it is.
You're welcome Tatsuo, and thanks for noticing how very bad it is, and That is a big problem as you said, that's why I was bringing it up here as soon as I could so that it could be seen and discussed and, if needed, taken care of to the best possible ability on here.
Obbl wrote:Housepets! forums does not use an encrypted connection. This is common with many forums, as security of information is less of an issue and certificates add to the overhead of server costs. This has an interesting advantage of not being vulnerable to the Heartbleed bug, but it is still an insecure connection. It makes a good argument for why you should keep separate passwords for separate sites.

On the topic of Heartbleed, yes, this is a very bad bug in the code that you should pay attention to, as it likely affects you.
Here is a site that has a nice list of common websites that you might be concerned about.
Here is a site for checking other websites you frequently login to. (Note that the Housepets! site gives you an "Uh-oh something went wrong" and tells you the connection was refused. This is because Housepets! does not have the option for https connection.)

As a note, if the website is still vulnerable (i.e. they have not implemented the patch), there is nothing you can do at the moment except wait for them to update their servers and renew their security certificate. If they were vulnerable and now have patched it, you should change your password in case it was uncovered before the patch was implemented.
Thank you Obbl for cashing in your 2 cents on this, and here's my response:
I would tend to think that, knowing encrypted connections, NOT having one would be EXTREMELY unsafe, and I would think it would make HP! MORE vulnerable, but tech-savvy as I may be, I do not know everything, and so I trust your knowledge/research on this.

How do you mean
Obbl wrote:affects you.
?

And I was able to find a list of infected websites and a website saftey checker, and I got the same result you did with it.


I am planning on waiting for sites like Facebook and such, as I am unsure and do not want another virus to happen to me.
also
I am planning on (and have already started) changing my passwords.



A big reason why I brought this up so quick is that I got a virus from a friend once (accidentally, he did not know) when he was giving me a movie from his stick. the virus was so bad it fried my hard drive and motherboard. No, literally FRIED them, like melted and burned them (at least in parts) to a crisp!
Avatar by 18gingasoldier!

Image
HP! Messenger
Image
Limp-in around eatin a dirty rubber Bizkit
Image
User avatar
RandomGeekNamedBrent
laughing maniacally
Posts: 21032
Joined: Mon Jan 24, 2011 10:42 pm
Location: an invisible, flying volcano over Virginia

Re: Heartbleed (bug)

Post by RandomGeekNamedBrent »

RatHead wrote:How do you mean
Obbl wrote:affects you.
?
he means that, based on how many extremely popular sites that are or were vulnerable to this bug, most people have reason to worry about it.
RatHead wrote:Thank you Obbl for cashing in your 2 cents on this, and here's my response:
I would tend to think that, knowing encrypted connections, NOT having one would be EXTREMELY unsafe, and I would think it would make HP! MORE vulnerable, but tech-savvy as I may be, I do not know everything, and so I trust your knowledge/research on this.
Obbl was saying that the forums are safe from this bug, but highly vulnerable to other kinds of attacks, both because of the lack of a secure connection. And so, any forums you frequent, you should probably use a password you don;t use for any more important things.

gaining access to your forum account isn't that big a deal, the worst someone can do is make posts you wouldn't. so a secure connection isn't needed.
but if the password you use here is the same as, say, your bank account, then getting it is a much bigger issue. But only if you've chosen to use the same password as an important account.

social networking sites and things like paypal need the secure connection because you're posting all kinds of personal information that would be very bad if someone else got access to it. But unfortunately, they got access to it through this bug.
Paradigm Shift by me
I do not actually believe any of what I'm saying.
RP character sheets
User avatar
kurowolfe
Posts: 2623
Joined: Sat Jun 18, 2011 7:18 pm
Location: Sabah, Malaysia

Re: Heartbleed (bug)

Post by kurowolfe »

Yeah, I've heard of how bad this bug seems to be. But let's say I don't do anything like changing passwords and whatnot, or taking the Do-Nothing approach, would it be beneficial or detrimental for my laptop?

Just so you know, I for a fact know that my laptop has some inactive worms and virus that doesn't seem to be transmitted across devices and became benign in my laptop because of how ancient it is.
Image

Applegate Appearance Cheat Sheet

Haq Dzi'ab (Blue Peaks Shore) || Mikan Kawabe (Applegate) || Hajime (Apollo City)
User avatar
Obbl
Smiley McSmiles
Posts: 3231
Joined: Tue Apr 27, 2010 1:56 pm
Location: The Housepets Forum ^^

Re: Heartbleed (bug)

Post by Obbl »

RatHead wrote:I am planning on waiting for sites like Facebook and such, as I am unsure and do not want another virus to happen to me.
also
I am planning on (and have already started) changing my passwords.
Well, heartbleed is not a virus, nor is it a vulnerability that is capable of giving you a virus.
Here's How it Works
A small portion of the OpenSSL implementation is called Heartbeat. Basically, if you are connected to the server via HTTPS, you can request that the server echo back a message (to check the connection/keep it alive). So (as in the XKCD comic linked above), if you send it "potato", it should echo "potato". The problem is that you also specify how big the message that you are sending is as well. "Potato" is six letters, so you ask it to respond with six letters. OpenSSL had a small bug where it didn't check your requested message with the requested length. So if I ask it to echo "potato and say it is 6 letters, it'll respond with "potato". If I ask it to respond with "bird" and say it is 4 letters, it'll respond with "bird". If I ask it to respond with "hat" and say it is 500 letters... it'll respond with "hat" followed by 497 more letters of whatever is lying around in memory at the time.
Since this memory belongs to the server, it may have random garbledy-gook, or it may have session keys, cookies, or other important stuff lying around like passwords. This then gets sent back to the user. Thus the patch is really simple: if they ask for a response that is larger than the message they sent, either give them zeroes after the message, give them exactly the message they requested and ignore the size, or ignore the message altogether.

Since Facebook says they've patched their servers, the vulnerability cannot be used against them anymore. Thus any further connections you make with them will be secure. The only issue is that information may have been gleaned from them before the patch was put in place, so it's possible people had access to password at some point.
kurowolfe wrote:Yeah, I've heard of how bad this bug seems to be. But let's say I don't do anything like changing passwords and whatnot, or taking the Do-Nothing approach, would it be beneficial or detrimental for my laptop?
It's not important to your laptop. It's important to any accounts you have whose information may have been leaked. Your Facebook password may have been leaked. Your gmail password may have been leaked. Your minecraft password may have been leaked. Your Dropbox password may have been leaked. And even if one of the sites you go to wasn't vulnerable, if you use the same password there as on a site that was vulnerable, someone may get in anyway.
So, passwords really should be changed to be safe. Due to the random nature of what information might have been leaked (and how invisible the attack is), it is unclear what the risk is of your account information having been leaked.
Image
User avatar
Hlaoroo
FROSTWOOD FOREVER!
Posts: 14492
Joined: Wed Mar 27, 2013 5:09 am
Location: Down under Down Under
Contact:

Re: Heartbleed (bug)

Post by Hlaoroo »

To be honest, I don't really understand all the fuss over this bug. It's not the first bug/virus of its kind, nor will it be the last, and it's really no worse than any other virus which can get your details, especially since this bug won't actually damage your computer directly. Besides, if you use a properly secure password containing letters and numbers, especially in a random combination, then it'll appear random to whatever decryption software they're using anyway so they probably won't even realise its a password. Also, as has been pointed out, this just gets a random chunk of whatever happens to be in the computer's memory at the time of sending which may or may not contain sensitive information. Chances are, I think, that they aren't going to get anything from you and if they do they aren't going to recognise it for what it is anyway. A credit card number in a random string of numbers just looks like more numbers after all.
Frostwood Forever! <3

My RP Characters

Avatar drawn by the amazing ScruffKerfluff!

Image
User avatar
Obbl
Smiley McSmiles
Posts: 3231
Joined: Tue Apr 27, 2010 1:56 pm
Location: The Housepets Forum ^^

Re: Heartbleed (bug)

Post by Obbl »

Since it's server memory, you may end up with recent http requests which would have the information in plaintext and labeled. As demonstrated by Mark Loman when he scanned Yahoo. And the user can send this out as many times as they want, in quick succession. It's a random grab-bag for the attacker, but I personally don't want to take any chances my information wasn't in the bag.

(one of Mark Loman's scan results)
Image
Image
Tatsuo
Posts: 401
Joined: Sat May 18, 2013 3:38 am

Re: Heartbleed (bug)

Post by Tatsuo »

Hlaoroo wrote:To be honest, I don't really understand all the fuss over this bug. It's not the first bug/virus of its kind, nor will it be the last, and it's really no worse than any other virus which can get your details, especially since this bug won't actually damage your computer directly. Besides, if you use a properly secure password containing letters and numbers, especially in a random combination, then it'll appear random to whatever decryption software they're using anyway so they probably won't even realise its a password. Also, as has been pointed out, this just gets a random chunk of whatever happens to be in the computer's memory at the time of sending which may or may not contain sensitive information. Chances are, I think, that they aren't going to get anything from you and if they do they aren't going to recognise it for what it is anyway. A credit card number in a random string of numbers just looks like more numbers after all.

That's the problem there is no virus or bug, it's a gap in security on the other end. You'd never know. As stated in the video, it's like a fishing game. You throw out your line and see what catches. On top of this, no one really knows if someone figured out all this on there own. All we know is that the gap in security has been there for a number of years.

I hate to say it, but because of the "News People" Bringing this up, and the internet being showered with this info, we now have a better chance of our password being compromised than before.
We assume so much, and know so little...
“Don't walk behind me; I may not lead. Don't walk in front of me; I may not follow. Just walk beside me and be my friend." - Albert Camus.
User avatar
RatHead
Posts: 575
Joined: Wed Nov 13, 2013 2:17 am
Location: my head, my computer, or outside.
Contact:

Re: Heartbleed (bug)

Post by RatHead »

Hlaoroo wrote:To be honest, I don't really understand all the fuss over this bug. It's not the first bug/virus of its kind, nor will it be the last, and it's really no worse than any other virus which can get your details, especially since this bug won't actually damage your computer directly. Besides, if you use a properly secure password containing letters and numbers, especially in a random combination, then it'll appear random to whatever decryption software they're using anyway so they probably won't even realise its a password. Also, as has been pointed out, this just gets a random chunk of whatever happens to be in the computer's memory at the time of sending which may or may not contain sensitive information. Chances are, I think, that they aren't going to get anything from you and if they do they aren't going to recognise it for what it is anyway. A credit card number in a random string of numbers just looks like more numbers after all.
That's the problem Roo, these guys know which numers are theirs and which arent, ant therefore the ones they can use on you to their advantage, also as Obbl showed they have smart programming that shows them the differences and what they want to know...

And Tatsuo? Trojans and other bugs have been around for years and are still very dangerous!
Although I'm not sure that we're really any worse off now that it's out there, I would think we're better off as ppl now know to change their passwords and such.
Avatar by 18gingasoldier!

Image
HP! Messenger
Image
Limp-in around eatin a dirty rubber Bizkit
Image
User avatar
Hlaoroo
FROSTWOOD FOREVER!
Posts: 14492
Joined: Wed Mar 27, 2013 5:09 am
Location: Down under Down Under
Contact:

Re: Heartbleed (bug)

Post by Hlaoroo »

Then it's still no different to any other kind of security breach. Take key loggers and tracking cookies for instance. They send everything you type across to whoever created them. Changing your password won't help if they ping the site after you've changed it anyway. This is certainly not the first or the last security breach to allow access to this kind of information. I'm not saying we should be lax in our security or completely ignore the threat; I'm just saying take it with a grain of salt and don't panic overly.
Frostwood Forever! <3

My RP Characters

Avatar drawn by the amazing ScruffKerfluff!

Image
Post Reply