• Hey Guest. Check out your NeoGAF Wrapped 2025 results here!

Heartbleed SSL bug serious vulnerability impacting major services, being patched now

Status
Not open for further replies.
Elfforkusu said:
Technically this is true, but SSL accelerators are almost ubiquitous in the enterprise. Probably not worth worrying about.
Click to expand...
Not a fan of playing the odds when this level of risk is on the line.

Cromat said:
Just to make sure: even if I access a website where my password is cached I'm still logging in and can be vulnerable to this type of attack?
Click to expand...
If you aren't actively logging in, you're almost certainly sending a session cookie. That cookie can be lifted and your account hijacked that way. This is why your password is often required to change your password—in case someone lifted your session cookie through other means, they will be required to provide the password which they wouldn't know in order to take possession of your account.
 
From a work point of view, we've been pretty lucky - all the HPC systems we run were using Open SSL v 0.9.8x which means we've never been vulnerable.

I never thought I'd be glad that we hadn't started the next wave of OS upgrades yet.
 
Maragidyne said:
Some are saying microsoft and thus hotmail are not vulnerable because they don't use OpenSSL, others say they are vulnerable. Google and all of its variants do not seem to be, but they probably were in the past. Instead of going nuts and keeping us updated over every detail, everyone is keeping quiet.
Click to expand...

I would be highly surprised if Microsoft's services were vulnerable as even HotMail moved away from UNIX many many years ago, and Microsoft don't use OpenSSL's implementation of SSL in their products.

That said.

if Office 365 were vulnerable (or to a similar bug), it could be as big a problem as Yahoo, given that for many customers (e.g. IMAPS) authentication to Microsoft's servers happens in clear text (AUTH PLAIN for IMAP) within the SSL stream (if that makes sense). There are other, more secure authentication methods for IMAP but Microsoft choose to not support them, trusting in SSL alone.
 
I don't think worrying about the last two years is productive.

Worrying about the last 48 hours or so, since the public disclosure, is where your energy should be directed.
 
zigg said:
I don't think worrying about the last two years is productive.

Worrying about the last 48 hours or so, since the public disclosure, is where your energy should be directed.
Click to expand...

I sort of agree.

The threats have to be classified.

Threat a) is someone who has archived TWO YEARS of SSL traffic, became aware of this problem 48 hours ago, got the keys and is now busily decrypting them. Let's be honest, we're talking about Intelligence Agencies. Do I care if they have access to my e-mail? Well, I care from an... idealism standpoint but I'm not too worried. Some people might be. They should have grabbed their bail-out bag and left on Monday night.

Threat b) is someone who knew about the vulnerability for some time and archived passwords/keys etc. This probably means a small number of hackers, security researchers + possibly (probably) the intelligence agences from a). You or I probably should care about the hackers. But this is a small number of people, and the threat, while devastating is a small threat. This doesn't mean it's not real, because if you are targeted it could be devastating.

Threat c) is every idiot grabbing user accounts + passwords + keys with the tools helpfully published since Monday. And numerically, that's a much, much bigger threat.

The most most people should be caring about at the moment are c) in the short term and b) in the short to medium term.
 
Can anyone in Canada check if online banking sites are affected?

I know Canada Revenue Agency has shutdown their online access while they patch it or see if they were affected.

Like how about ATB financial, HBC financial, BMO, TD, etc.,?

I know netflix is affected so i'm going to change my password when that fix is.

Yahoo i have changed already.. I read Gmail is fine.

How about Amazon? Or bestbuy? or gamestop?

And is it true that Sony Services are affected so I have to update my PSN account when it is fixed?
 
So if Google and Facebook are both not vulverable currently, but may have been in the past 2 years, should I be changing passwords to those two ASAP?
 
The impact of this issue is SUBSTANTIAL - especially in a cloud connected world. For anyone that has a service oriented architecture (SOA) this is one of the nightmare scenarios as you'll find yourself testing not just your own shit, but everything from all of your vendors as well as any hole is an intrusion point into your platform. Two of my vendors (Amazon Web Services being the one that is easier to mention) are impacted by this and its critical beyond worlds. This is now the 3rd exploit to SSL that I've seen in the past 12 months (though #2 was almost surely Apple specific).
 
Ultra Magnus said:
He'll to the yes! The only way to go with Google
Click to expand...

The only way to go with ANY service that offers it. Yes it is a pain to get setup and working sometimes, but it's like putting a helmet on before ride your motorcycle, better safe than having your brains sprawled across the road.
 
LastPass' Security Check tool now tells you which of your sites are affected by Heartbleed, which passwords you should go update (i.e. affected but now safe), and which you should wait before doing anything with (sites that haven't updated their certs yet). Useful!

Not many critical ones for me personally, the most notable one is Netflix (which gets a "wait" recommendation).
 
So my Debit card was hacked - thinking it might have something to do with this. Bank of America.

One in Luxembourg bought 130 dollars worth of LiveJasmin credit, another spent 80 dollars at AliExpress and then a few 1 and 2 dollar charges from Dublin.
 
Phoenix said:
The impact of this issue is SUBSTANTIAL - especially in a cloud connected world. For anyone that has a service oriented architecture (SOA) this is one of the nightmare scenarios as you'll find yourself testing not just your own shit, but everything from all of your vendors as well as any hole is an intrusion point into your platform. Two of my vendors (Amazon Web Services being the one that is easier to mention) are impacted by this and its critical beyond worlds. This is now the 3rd exploit to SSL that I've seen in the past 12 months (though #2 was almost surely Apple specific).
Click to expand...
If it's critical infrastructure, maybe companies should expend some effort rather than leeching off a project with 4 (!) full time developers.

Hard for me to feel too sympathetic about this. OpenSSL doesn't have enough manpower working on it -- in part due to its stupid situation wrt the gpl (why aren't it and gnu TLS the same code base? Asinine.) And in part because security is taken for granted until it breaks.
 
WalkMan said:
During the authentication handshake the server has to keep the secret key in memory for a bit. The vulnerability arbitrarily allows the client to disclose 64KB of the server's ram (around the openssl process memory) continuously if desired. So they could pull out the secret key with enough polling.
Click to expand...

To add to that: it's not just any 64kb of the server (hardware)'s ram. It's 64kb of the OpenSSL process memory. Which is even worse.
OpenSSL uses it's own memory managment, which is why this is guaranteed.

This commit here introduced it:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1

in january 2012.

To me it looks and smells like a backdoor.

People can check here, if their favorite domain is possibly vulnerable:
http://news.netcraft.com/archives/2...ed-websites-vulnerable-to-heartbleed-bug.html

Just enter the domain. You will then see, if that shitty "RFC6520 heartbeat" extension is enabled. When it's not, it should definitely be safe. Having that extension enabled, doesn't automatically mean that it's vulnerable. It may have been patched already. But at least it's a hint.


Also password security is not the only problem. Another problem is that an attacker may get the secret key of a domain that way and is then able to do a man-in-the-middle attack without your browser noticing anything.
 
Elfforkusu said:
If it's critical infrastructure, maybe companies should expend some effort rather than leeching off a project with 4 (!) full time developers.

Hard for me to feel too sympathetic about this. OpenSSL doesn't have enough manpower working on it -- in part due to its stupid situation wrt the gpl (why aren't it and gnu TLS the same code base? Asinine.) And in part because security is taken for granted until it breaks.
Click to expand...

Utter nonsense you speak. There are whole platforms and distributions that use OpenSSL and people who pay money for those implementations. But if OpenSSL feels that people are 'leeching' from them then OpenSSL should retire their project and tell all the implementations to find a replacement. Then they can fire their 4 full time developers and the industry can move on to another open source implementation of SSL.
 
Is there a page which lists the current status with respect to this exploit for major sites like banks, amazon, email services etc? I don't want to change my PW's too early before it's patched.

EDIT: I see the Lastpass list, but notice that no CC companies or banks are on it, which is what I'm curious about.
 
mackaveli said:
Can anyone in Canada check if online banking sites are affected?

I know Canada Revenue Agency has shutdown their online access while they patch it or see if they were affected.

Like how about ATB financial, HBC financial, BMO, TD, etc.,?

I know netflix is affected so i'm going to change my password when that fix is.

Yahoo i have changed already.. I read Gmail is fine.

How about Amazon? Or bestbuy? or gamestop?

And is it true that Sony Services are affected so I have to update my PSN account when it is fixed?
Click to expand...

Check websites here:

http://filippo.io/Heartbleed

Check a server certificate here:
https://sslcheck.globalsign.com/en_US


Wells Fargo is OK.
 
Maragidyne said:
Well fuck. Now I'm hoping my own bank doesn't use OpenSSL.
Does paypal use openSSL and if so, are they still vulnerable? I hate it that the only way I could find out is if I tried it myself, which I'm afraid of doing due to legal reasons.

I hear Lastpass now shows which sites have fully closed the vulnerability (update, new keys etc.). I'm hoping someone somewhere posts a list of common websites that are still or no longer vulnerable. Right now, I'm still trying to make sure if MS/Outlook/Hotmail/Office365 are vulnerable or even use OpenSSL.
Click to expand...

I have several MS accounts (Hotmail, Outlook, etc), and they don't show up as vulnerable through LastPass. Very few sites do for me personally, the most notable one that does being Netflix. Also Rockstar forums and a few others.
 
MG310 said:
So my Debit card was hacked - thinking it might have something to do with this. Bank of America.

One in Luxembourg bought 130 dollars worth of LiveJasmin credit, another spent 80 dollars at AliExpress and then a few 1 and 2 dollar charges from Dublin.
Click to expand...

Is there anything that cheap in Dublin?
 
Phoenix said:
Utter nonsense you speak. There are whole platforms and distributions that use OpenSSL and people who pay money for those implementations. But if OpenSSL feels that people are 'leeching' from them then OpenSSL should retire their project and tell all the implementations to find a replacement. Then they can fire their 4 full time developers and the industry can move on to another open source implementation of SSL.
Click to expand...
OpenSSL pays (iirc) 1 person full time. The others are volunteers or part timers.

Also, it's open source. Generally speaking, nobody that's using the code is paying them a dime.

The industry moving on would be fine as well. Again, they're too busy leeching and then pretending it's someone else's fault when the shit hits the fan.
 
RoadHazard said:
LastPass' Security Check tool now tells you which of your sites are affected by Heartbleed, which passwords you should go update (i.e. affected but now safe), and which you should wait before doing anything with (sites that haven't updated their certs yet). Useful!

Not many critical ones for me personally, the most notable one is Netflix (which gets a "wait" recommendation).
Click to expand...

Yeah i saw it also..got 4 websites. Netflix is very slow with this...they need to step it up.
 
Maragidyne said:
That's good to hear. However, the question now is whether they use OpenSSL and patched it (and thus were vulnerable at a certain period of time) or whether they're not using OpenSSL at all and are thus completely safe.
Does Lastpass mention whether they were vulnerable and changed keys or something? Or does it say something like "Doesn't use OpenSSL"
Click to expand...

LastPass does show this. If the site was vulnerable but is now safe (certificate updated) LastPass recommends you to update your password on that site. If it is still vulnerable it tells you to wait. MS stuff doesn't appear in the list at all, which should mean it hasn't been affected by this.

This is what it looks like (don't really care if you see the age of a few of my passwords):

ibt5vwlGMYm6IG.PNG
 
What's the deal with lastpass? I literally just got it yesterday and changed my passwords to every single website.

Y'all telling me i gotta change everything again and change? Because that would push me over to the i no longer give a fuck ledge.
 
styl3s said:
What's the deal with lastpass? I literally just got it yesterday and changed my passwords to every single website.

Y'all telling me i gotta change everything again and change? Because that would push me over to the i no longer give a fuck ledge.
Click to expand...

It has nothing to do with LastPass, it just tells you the status of different sites you have saved there. But you shouldn't have changed passwords to affected sites that haven't been fixed yet. With those you should simply wait and do nothing until they've been patched and had their SSL certificates renewed.

Run the LastPass Security Check (it's under Tools in the extension menu), and it will tell you which of your sites are affected and what you should do.
 
AstroNut325 said:
Um... the page that lists the affected sites isn't coming up for me. Is there any other place that lists the affected sites?
Click to expand...

The list would be too large :) Whole CA chains are being revoked and regenerated over the next few days and since may sites link to other sites (which may themselves be vulnerable) even if you saw that a site you use wasn't vulnerable - that doesn't mean that your data is safe. For example, it is fairly common to link to other services that live on other platforms. So while the server you're talking too many not have an issue, if its sharing data with platforms that are - the data is still hosed. MANY popular services for backends and many server implementations themselves (like pretty much everything that runs Linux/*nix) is vulnerable.

A good question is how vulnerable are devices since many of them use OpenSSL as well.
 
One thing I love about going through and updating your passwords is that you really see some hilarious incompetence:

- GameFly: Maximum 12 characters
- Redbox: 12 characters
- Porter (Canadian Airline): 13 characters
- uPlay (hacked this year): Maximum 16 characters
- ETS (Test runners for the GRE): Maximum 16 characters, no symbols allowed
- FutureShop (Canadian retailer): Maximum somewhere around 30 characters, but if your password is too long, the error you get is that your password isn't long enough
- Desura: No max password length when you go to reset your password, 30 character max when you go to sign in.
- Monoprice: I have a 30+ character password. I can login just fine. But when I go to change my password, maximum length is 20 characters. Setting aside the wisdom of that, to change my password I need to enter my current password... but the field for my current password has a limit of 20 characters.
- Photobucket: No symbols allowed
- Shinyloot: No symbols allowed
 
Why are companies and websites so lackadaisical in their correspondence with their customers? The reaction to this bug just seems so sloppy.
 
Solo said:
So I ran this for every site I log in to. All were good except one. Can I log into the ones that aren't vulnerable or have been fixed now?

EDIT: wait, I re-ran the sites and one that was "good" the first time was now vulnerable.....the fuck? Not sure how reliable this "tool" is now.....
Click to expand...

The site you're logging into is likely running on multiple servers behind a load balancer. You may be hitting good servers on some requests, and others that need to be updated on subsequent requests. Its almost impossible to know with certainty right now as entire server farms are being patched, certificates reissued, etc. to deal with this issue.

To address another question posted above, OpenSSL isn't something that YOU can choose to not use. Its something that lives on the server and handles the encryption/decryption of SSL content. So when you go to a site and you see that little lock - all of that is your browser confirming some stuff with respect to SSL which is taking place on the server. These "is my site broken" implementations are basically querying the server and looking for a particular tag "RFC6520 heartbeat" which tells them (along with the version) if the server certificate chain is bad.

Community Forum said:
So ummmmm wouldn't affected companies be sending me an email about this, like to change my password? I haven't received anything. Nothing.
Click to expand...

Once they've patched and confirmed their patches, they likely will. I've been getting them from platform providers (like AWS, MongoHQ, Mulesoft, blah blah blah) for the past 48 hours. They will have you change your password once it makes sense for you to change it (i.e. after they have updated their servers and worked with their partners to do the same). Doing it before then would be pointless as you'll need to change it AGAIN once the OpenSSL exploit is patched.
 
Stumpokapow said:
- Desura: No max password length when you go to reset your password, 30 character max when you go to sign in.
- Monoprice: I have a 30+ character password. I can login just fine. But when I go to change my password, maximum length is 20 characters. Setting aside the wisdom of that, to change my password I need to enter my current password... but the field for my current password has a limit of 20 characters.
Click to expand...

Yeah. I've run into a few of those myself :D
 
Phoenix said:
The list would be too large :) Whole CA chains are being revoked and regenerated over the next few days and since may sites link to other sites (which may themselves be vulnerable) even if you saw that a site you use wasn't vulnerable - that doesn't mean that your data is safe. For example, it is fairly common to link to other services that live on other platforms. So while the server you're talking too many not have an issue, if its sharing data with platforms that are - the data is still hosed. MANY popular services for backends and many server implementations themselves (like pretty much everything that runs Linux/*nix) is vulnerable.

A good question is how vulnerable are devices since many of them use OpenSSL as well.
Click to expand...

Honestly in terms of devices and appliances you're hard pressed to find one that's later than 0.9.8, in my experience. Even at the server level, we scanned thousands of Unix machines and found 0 vulnerable. You're more likely to be vulnerable if you are a major target and are patching webservers very aggressively.
 
Iolo said:
Honestly in terms of devices and appliances you're hard pressed to find one that's later than 0.9.8, in my experience. Even at the server level, we scanned thousands of Unix machines and found 0 vulnerable. You're more likely to be vulnerable if you are a major target and are patching webservers very aggressively.
Click to expand...

Or you have a cloud based infrastructure and have system management agents that update the security group every time an update comes out. Most of the more agile startup-ish businesses (like eBay) will fall into that category. But yes, if you are a late patcher you're likely not vulnerable to this issue... but vulnerable for other ones for which the patches were created ;)
 
Phoenix said:
Or you have a cloud based infrastructure and have system management agents that update the security group every time an update comes out. Most of the more agile startup-ish businesses (like eBay) will fall into that category. But yes, if you are a late patcher you're likely not vulnerable to this issue... but vulnerable for other ones for which the patches were created ;)
Click to expand...

Well, yes, enterprises are generally more conservative. To add, Red Hat Enterprise Linux is not vulnerable unless you are running 6.5 or have already applied extremely recent patches -- a recent patch revision of 1.0.1e in fact. My point is, devices are generally way behind the bleeding edge, so they are the least likely to be vulnerable.
 
Iolo said:
Well, yes, enterprises are generally more conservative. To add, Red Hat Enterprise Linux is not vulnerable unless you are running 6.5 or have already applied extremely recent patches -- a recent patch revision of 1.0.1e in fact. My point is, devices are generally way behind the bleeding edge, so they are the least likely to be vulnerable.
Click to expand...

That is correct for certain categories of devices. There are already patches in the trees of several Bluetooth Low Energy/IOT iBeacon devices that I'm looking at right now. Fortunately these are OTA patches that I don't have to worry about.
 
So I read netflix was affected, is it still? I get "broken pipe" when I check it whatever that means. Does this affect me accessing services through apps like those on my ps4 or is it only through browsers?
 
MG310 said:
So my Debit card was hacked - thinking it might have something to do with this. Bank of America.

One in Luxembourg bought 130 dollars worth of LiveJasmin credit, another spent 80 dollars at AliExpress and then a few 1 and 2 dollar charges from Dublin.
Click to expand...

Bank of America was not affected
 
My password database is currently sitting at 260 entries. I already changed the most important ones but oh god this is taking forever.
 
epmode said:
My password database is currently sitting at 260 entries. I already changed the most important ones but oh god this is taking forever.
Click to expand...

A good practice when going through your accounts to update passwords is when you get to sites that have close account functions, really stop and consider whether or not you need to keep your account open. Ecommerce site that you bought one thing on 3 years ago? Probably not. Service you never used? Definitely not.
 
Status
Not open for further replies.

Similar threads

RTINGS.com is now a Paywalled Service
2
62
1K
Celcius replied
AI browser vulnerability (Perplexity Comet)
News 
4
572
Draugoth replied
Hayley Atwell now
2
53
1K
-BLITZ- replied
Being a Drifter
2
59
1K
Agave replied
Major Job Cuts At Microsoft Coming, Between 11,000 and 22,000 Roles.
18
417
Bojji replied
Top Bottom