Phoenix
Member
Give it a while. These guys have thousands to 10s of thousands of servers in their web farm and they will update them during their maintenance windows as to avoid bringing down their services altogether.
-
Hey Guest. Check out your NeoGAF Wrapped 2025 results here!
Heartbleed SSL bug serious vulnerability impacting major services, being patched now
- Thread starter itxaka
- Start date
- Status
Give it a while. These guys have thousands to 10s of thousands of servers in their web farm and they will update them during their maintenance windows as to avoid bringing down their services altogether.
Valkyr Junkie
Member
NeoGAF, like every public Internet forum I can think of, doesn't run SSL. So obviously this vulnerability doesn't impact this site, but if you're concerned about your credentials staying private, never log in on a public connection.
RedAssedApe
Banned
if everyone just adopted some form of multi-factor auth...this stuff would be way less a pain in the ass.
not to mention the conflicting information as to whether or not servers have been patched and certs re-issued.
not to mention the conflicting information as to whether or not servers have been patched and certs re-issued.
anonymous_abc
Member
On the one hand you are right, but the manager should be secure as you are putting a lot of valuable information in one place. Telling people to use Excel for their passwords is not as good as telling them to use Strip.
hyperbol I know
GutsOfThor
Member
The lastpass checker says google is vulnerable but my local news site they have been pacthed. Who to believe?
Heads up to any DevOps using chef. They are recommending to regenerate the private keys for servers,clients and nodes. They have made a cookbook available, but still all your users have to redownload their private keys.ugh.
http://www.getchef.com/blog/2014/04/10/update-on-heartbleed-and-chef-keys/
http://www.getchef.com/blog/2014/04/10/update-on-heartbleed-and-chef-keys/
All Google's consumer stuff is patched.
http://www.engadget.com/2014/04/09/google-heartbleed-patch-info/
OS X and iOS don't use OpenSSL for anything major, Apple has their own SSL implementation (which had its own well-known vulnerability a month or so ago). They do ship a version of OpenSSL with OS X but it's deprecated, and it's an older version that isn't vulnerable to this anyway.
RedAssedApe
Banned
just turn on two-factor auth and it won't matter either way.
http://arstechnica.com/security/201...-may-have-been-exploited-months-before-patch/
It seems someone else already knew about this. It's not perfect evidence though, because:
Nah, that's a good point. Still, the spreadsheet method is more secure than using the same password everywhere. I guess my point was that I think far too many people reuse passwords and that the important bit is to get them away from that.
anonymous_abc
Member
Valkyr Junkie
Member
It looks like private keys may not be vulnerable with this attack after all. Definitely a dodged bullet if it's the case, but at this point it seems nobody is willing to take any chance on even the most far-fetched vulnerability.
http://www.theverge.com/2014/4/11/5604300/heartbleed-may-not-leak-private-ssl-keys-after-all
http://www.theverge.com/2014/4/11/5604300/heartbleed-may-not-leak-private-ssl-keys-after-all
The only thing that keeps me from generating passwords on LastPass is the hassle I could have on every time I'd need to use a mobile app (Steam, Facebook...) and need the password. LastPass has an app, but only for premium users and iOS integration isn't very well done, right? I mean, is there a way to copy the password from the LastPass app into another mobile app?
anonymous_abc
Member
I don't know about LastPass, but that definitely works with my password manager of choice both on iOS as well as OSX.
Valkyr Junkie
Member
Supposedly there's a way to integrate your Lastpass vault into Safari on iOS by doing something where you bookmark a page and then modify it, but it never worked for me so I just gave up on it. It only takes a second to copy your password from the mobile app to your clipboard, plus I'm starting to let iCloud save some of my passwords as well.
anonymous_abc
Member
I do too, but I think it's so silly that they limit the passwords to 12 (‽
simple characters. It's freaking automated, make it long and complex please!
But you'd have to be a premium user to have the mobile app, right? Not that I don't want to be, just want to be sure of my choices. And can I copy the password to clipboard and then to another mobile app, like Steam?
The latest update of the Android app has better integration of filling in passwords on mobile apps without having to copy and paste from the LP app itself. Not sure how it works as I haven't upgraded to premium yet and also not sure if that better integration is available on iOS.
Dezcom
Member
RoadHazard
Gold Member
That is a bit of a hassle, but you really only need to do it once per app/site. And even without Premium you can just visit the LastPass site in your mobile browser and copy/paste passwords from there.
Valkyr Junkie
Member
Correct, that feature would require a premium membership.
Lightning Lord
Banned
I haven't been online much in the past few days and now I'm suddenly finding I need to change all of my passwords. In a way this is kind of a good thing though, since I've been really bad about updating some of them in a while.
spindashing
Banned
I've ignored this Heartbleed stuff for long enough.
Now, I'll have to change my passwords... Fuck. Well, I mean I only use five passwords and rotate those in between services so I guess it's time I make a unique password for each service?
Fuck everything.
Edit: I'll have to check out this LastPass stuff later today.
Now, I'll have to change my passwords... Fuck. Well, I mean I only use five passwords and rotate those in between services so I guess it's time I make a unique password for each service?
Fuck everything.
Edit: I'll have to check out this LastPass stuff later today.
HammerOfThor
Member
I've noticed a few banks have this shitty password rule. Its crazy for banks of all places to be this lax.
I just made a random test and apparently you don't need to be premium if you access the mobile site. Great then! Thanks for the help, everyone!
anonymous_abc
Member
yes.
spindashing
Banned
Noted. LastPass seems easy enough to use. I'll take a crack at it later.
Valkyr Junkie
Member
The ironic part is that banks like this almost assuredly won't be impacted since they're likely running code so old it isn't impacted by this vulnerability.
The comic is not well done.
It would have been more accurate this way:
Server, are you still there? If so, reply with the following 6 characters "POTATO".
...
Server, are you still there? If so, reply with the following 4 characters "BIRD".
...
Server, are you still there? If so, reply with the following 500 characters "HAT".
That's surely nitpicking. But it's way easier to understand it that way.
In general, they are proving hard to get to, but they're not 100% safe. Researchers have proven that FreeBSD will give up its key right away, for example. It depends on a lot of things.
Since there's no way to tell for certain, it's best to regenerate keys and certificates.
Uh, okay. I don't see how it's any easier, but if you say so.
Incendiary
Banned
I've never heard of Lastpass before but I feel like this may be something I want to look into now. Geez the implications of this bug are scary.
It makes it more explicit about how the commands regarding the character length are sent. That said, the change doesn't enhance my understanding of it.
To make it more obvious, add to the server:
"Okay, I'm still here. I will send you back the 500 characters, that you just sent me".
The sender only sent "HAT", which is 3 characters. Because of that the remaining 497 characters are from the remaining OpenSSL memory pool. Which may be secret keys. passwords and all sorts of other stuff. The maximum amount of characters to request is 64k (65535) bytes.
Normally the server should have said: "wat, you want 500 characters? But you only sent me 3, so there you go - your 3 characters - I won't send you more than that".
Yes you can copy and paste anywhere.
Premium is very cheap. Only $12 a year. Bargain for what you get.
The app works perfectly fine for me. They upgraded recently and it's pretty nice.
CloudFlare set up a challenge to see if people could recover the private key from a server.
Two people have done it so far.
I hope this puts to rest the idea that private keys can't be obtained through Heartbleed.
https://www.cloudflarechallenge.com/heartbleed
Two people have done it so far.
I hope this puts to rest the idea that private keys can't be obtained through Heartbleed.
https://www.cloudflarechallenge.com/heartbleed
Ok I store all my passwords on Evernote (I use the desktop app) and log on to chase regularly. On a scale of 1 to 10 how screwed am I?
Lastpass is really secure?
I should also note that I've been watching porn (haven't in a while though).
I knew downloading a few videos would come in handy!
Lastpass is really secure?
I should also note that I've been watching porn (haven't in a while though).
I knew downloading a few videos would come in handy!
This vulnerability has been know in some circles for quite a while, it's only now that it comes to light. Nevertheless, the rule of thumb says changing your passwords once in awhile is a good practice.
Yeah I use lastpass and have 2 step turned on for every place that offers it. Just curious if most sites have patched the bug so I can change my pw safely. From what I've read it won't matter if I change my pass until the bug is patched.
So there's little point in changing passwords now until this blows over? Are you able to tell if you've been hit with this bug or not? I've been watching my bank account like a hawk....
Freezasaurus
Member
I'm pretty sure that Chase was unaffected.
https://lastpass.com/heartbleed/
Unless I'm mistaken sites that aren't patched are still vulnerable so yeah logging in could still compromise your info so don't log on to vulnerable sites and change your passes until they're patched.
On a side note I swear no one else I know besides me follows or cares about this stuff. I send out alerts on fb and twitter about news like this and how to upgrade security and it's like I"m talking to myself
. Apparently using things like lastpass take too much work even if I can get people to buy in.Well, if whomever you are talking to has yet to actually patch their servers, you checking so often actually heightens the chances someone can steal from you.
Not likely that banks have not already covered their asses though.
I read through this thing but I feel like a dunce playing with big words.
This bug only affects sites you are actively on correct? So if I go to a website with this bug but jot down the password on another application will it be able to tell? Or do I have to close the site and thus am no longer affected?
Or once your exposed your infected? This isn't a typical virus as far as I'm aware and is more online orientated.
This bug only affects sites you are actively on correct? So if I go to a website with this bug but jot down the password on another application will it be able to tell? Or do I have to close the site and thus am no longer affected?
Or once your exposed your infected? This isn't a typical virus as far as I'm aware and is more online orientated.
This is not an infection.
This is a structural weakness that allows bad guys to peek at information the site you are talking to currently stores. Usually if you have logged off or have not tried to access the site in an unspecified period of time, there is little/no data to be peeked at.
The thing about changing passwords/keys is that part of the data that can be stolen MAY be password/keys and so your current set MAY not be secure if someone got to them before the site patched their shit.
The best thing to do is to stay away from sites that have yet to patch themselves so that the likelihood of your stuff getting stolen is reduced. Then after they are patched, you should change your password as a security measure.
Thanks for the info, looks like I'll limit the sites I'm on until this hopefully goes away.
- Status