If anyone wants to run the PoC against their own boxes or... other boxes:
https://gist.github.com/takeshixx/10107280
Also VUPEN.
https://gist.github.com/takeshixx/10107280
Also VUPEN.
-
Hey Guest. Check out your NeoGAF Wrapped 2025 results here!
Heartbleed SSL bug serious vulnerability impacting major services, being patched now
- Thread starter itxaka
- Start date
- Status
There are also things wrong with the protocol, but it does move forward to mitigate those issues. This is why we have several versions of the protocol.
MikeHaggar
Member
thanks for that. according to the site in the first link, gmail has been patched already. all of the financial sites that i tried were reported as having TLS extension 15 (heartbeat) disabled and unlikely to be affected. i wonder if that was disabled before or after this became public though...
Damn I'm at uni so I can't do shit right now. I should be okay for a few hours <_<....>_>
XiaNaphryz
LATIN, MATRIPEDICABUS, DO YOU SPEAK IT
If you have 2-step verification enabled with Lastpass, you should be okay.
captmcblack
Member
Crap...I am literally logged into eBay right now.
So I'm screwed, right? :x
So I'm screwed, right? :x
Glad I set that up when I first got it. Only big worry is Yahoo, though it's only for junk mail at this point. Still sucks and it means I probably should just abandon it entirely.
endlessflood
Member
Is the Sony Entertainment Network site affected?
This bug has been around for two years. So potentially all data stored in a server's memory in the past two years has been exposed, if they're running openssl. Realistically, just change your passwords once everybody updates their openssl versions.
There will always be the potential that passwords or keys have been leaked, hacked, stolen etc. The question is what's the probability. In this case, you're probably OK because you can't access arbitrary memory, and the most likely thing taken is keys. Just change your passwords and move on, but you're probably fine either way.
apparently not, check out the gaming side thread.
Baron von Loathsome
Member
I won't have to change all my saved passwords, will I?
I will do that eventually, if your Lastpass data was accessable...
RoadHazard
Gold Member
LastPass data is only ever encrypted and decrypted locally on your PC, never on their servers. Only an encrypted data blob is stored on the servers, and nothing that could decrypt the data is ever sent there. So as long as you have a strong master password (meaning it doesn't really matter all that much if someone did manage to steal a copy of your synced data) it should be fine, right?
EDIT: Yeah:
http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html
And I do trust these guys, they've never given anyone a reason not to.
EDIT: Yeah:
LastPass said:
http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html
And I do trust these guys, they've never given anyone a reason not to.
Baron von Loathsome
Member
I don't use Lastpass, for what it's worth.
XiaNaphryz
LATIN, MATRIPEDICABUS, DO YOU SPEAK IT
That's how it's supposed to work, but given the type of data you have stored with it 2-step verification is still recommended.
andthebeatgoeson
Junior Member
Just checked it out. And I just logged in. Welp, that wraps that up. Fine, haxxors look at all the times I tried to get Matlock to send me NPD data from 4 years ago.
andthebeatgoeson
Junior Member
That's what I assumed about keepass. Maybe I need a stronger password. Yeah, someone can get the file. But then again, it's for all the other passwords.
The Albatross
Member
Frankly, I trust LastPass to keep my data secure over whatever cloud service I'm opting to use. Although, this SSL certificate issue is worrying, it would effect Dropbox, AmazonS3, Bitbucket, Github, and anything else.
Not to be all "I told you so", but I never thought things like LastPass were a good idea.
What I do is use an app like Mmemosyne where I re-generate my pass for a site/service on the fly whenever I need it. Have Mnemosyne on all my computers + my phone.
It is a slightly slower process? Yup. But I'm storing my passwords NOWHERE, online or off.
Two-factor isn't enough. (It's at best a mitigation
but if you just logged in, and someone got your session key, welp.)
https://twitter.com/blubbfiction/status/453513110348107776
https://twitter.com/blubbfiction/status/453513110348107776
I'm looking at a screenshot of Mnemosyne and I'm sorta curioushow do you keep tabs on sites that have different password requirements?
Shouldn't that just rely on the authentication token rather than the username/password combo?
I mean, granted, that token can be compromised, but it will have to get rotated post patch anyway and it's less of an issue than compromising the actual password.
XiaNaphryz
LATIN, MATRIPEDICABUS, DO YOU SPEAK IT
Well if what he's claiming is true, not even shidoshi's suggestion above would necessarily be safe then if you're between logins.
Ohhh, yeah. That's why if you forget your password there is no way to reset it. That makes me feel even better, though I wasn't too worried in the first place.
RoadHazard
Gold Member
Yeah, if you're gonna store your passwords in the cloud anyway, might as well just use LastPass directly and skip the middleman cloud service. LastPass pretty much exists to do just this one job securely for you, and by all accounts they're doing it very well.
So I just looked at this, do you use a different phrase for each site? From what I see, the same phrase with the same criteria (letters, numbers, length, etc.) will always generate the same password. It looks interesting, but it would be very circumstantial on which websites I would use it for. Without creating different phrases and criteria, it looks like the same password would be used for every site.
Lastpass just seems more user friendly and secure, every site has a different, unique password, and my account is secured by two-step authentication. I am always looking to keep my options open if something better comes along. Choosing a password manager for me is a fine line between security and user-friendliness. I don't want to jump through lots of hoops to be able to log in to my credit card account to pay my bill, but I also don't want to use the same password on 20 different sites.
I believe the claim is true. Very plausible.
The only safe option at this point is to have never logged in to a given service since the bug went public.
Other than that, you just have to hope your service provider gets their act together, changes out their certs post-haste, and has a safe path for changing your password afterward (re-requiring 2FA, verifying with email, something.)
Valkyr Junkie
Member
This isn't an SSL/TLS site to begin with, so it wouldn't be impacted.
This period of not being able to do nothing to secure my accounts is what worries me. Logging in to change passwords now can be the worst mistake to do at the moment but at the same time someone could have stolen them yesterday when I last logged in to a vulnerable site.
At least when someone hacks a site, we are able to act immediately by changing passwords on that site (if it was unique) or change the universal password. In this situation, we just have to wait... which doesn't make me feel safe at all.
Snakethesniper
Member
One thing I don't understand is: if I change a password now (for a site that's vulnerable), it's sent via SSL? So it could be read from the server's memory?
The other thing is: Isn't the text encrypted?
The other thing is: Isn't the text encrypted?
Zaraki_Kenpachi
Member
So what does this mean? All logins are just boned? If you change now they just steal the data right? Do apps like yahoo mail or gmail use SSL also?
dark_inferno
Member
Everything is unsafe right now. Even smartphone apps. Just wait until there is a official statement about the fix.
Zaraki_Kenpachi
Member
Should I attempt to sign out of all apps or just wait? This is fucking absurd.
Encrypted with the server's public key which is decrypted using its secret key.. and if the secret key is exposed~~
RoadHazard
Gold Member
Google stuff is fine from what I read, same with Microsoft. Yahoo is the big one that is vulnerable.
Almost everyone who uses Keypass is going to be using a file sharing service to keep their passwords synchronised between their devices. That file sharing service is going to be just as vulnerable as LastPass was.
Also, even with this bug, the passwords are still encrypted. Even presuming people have exploited it to steal data, they can't get the actual passwords.
No. To actually exploit this beyond a handful of targeted users would require a lot of work.
XiaNaphryz
LATIN, MATRIPEDICABUS, DO YOU SPEAK IT
Everything that uses this OpenSSL implementation that is, though I'm not sure how prevalent the other TLS protocols are in comparison.
Zaraki_Kenpachi
Member
Yeah which is my main email. Should I log out of the app or just leave it for now? Is Facebook and such affected?
dark_inferno
Member
Facebook should be secure as hell right now. And no dont log out of it.
And it seems like Yahoo patched their system. Wait for something official befor acting.
Snakethesniper
Member
yes I've read that later, but how was the private key exposed? Is it stored in the memory?
AHA-Lambda
Member
This is what I have found so far:
okcupid.com
www.gog.com (according to one tool)
nowtv.com (it says its fine now)
www.netflix.com (according to one tool)
jobisjob.com
linkedin.co.uk
cv-library.co.uk
My Keepass database requires a key file that isn't stored on Dropbox. Even if you get into my Dropbox account AND had my database password, you're still not getting in. Keepass is as secure as you want to make it.
They're not paying me, I swear. I just think it's a great program that has saved me from a lot of security headaches.
We also know about Steam, Yahoo services, EA services and Sony services.
LastPass also requires a key that isn't stored on LastPass servers.
I use Keepass myself, but I feel I should be cautious in recommending Keepass because the vast majority of users will not make their database more secure than LastPass. Or they won't properly back up their database, and they'll lose all their passwords when their hard drive dies.
AHA-Lambda
Member
I didn't get any errors on Sony or EA =/
Baron von Loathsome
Member
I found Miiverse earlier.
RoadHazard
Gold Member
And LastPass requires a master password (which you should obviously make sure is strong) that never leaves your computer, since all encryption and decryption happens locally. The LastPass servers only store your encrypted data blob. So their servers could also be completely compromised (which is highly unlikely as they employ very high security), and your data would still be safe as long as your master password is good. Plus, you can choose to add extra security to that via various methods of multi-factor authentication.
EDIT: As Slavik81 says, LastPass is probably more secure and safe (these things both matter greatly) for the average person.
During the authentication handshake the server has to keep the secret key in memory for a bit. The vulnerability arbitrarily allows the client to disclose 64KB of the server's ram (around the openssl process memory) continuously if desired. So they could pull out the secret key with enough polling.
- Status