After reporting the problems with OpenSSL, which has been nicknamed 'HeartBleed', 2 contributors have forward articles on why you should change your passwords.
Heartbleed, and why you should change your password
I always believed Mojang would keep my details safe, now I realise they are not in control of their own data. Mojang/Minecraft passwords should be changed immediately
Heartbleed Bug: Change All Your Passwords
The fallout from the Heartbleed bug is hitting the mainstream. The BBC has an article headlined "Public urged to reset all passwords".
Bruce Schneier calls it "catastrophic", giving this advice to sysadmins: "After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected." He also links to a webpage that will let you test servers for the bug, and an article on Ars Technica discussing the bug.
Related Stories
An advisory (link: https://www.openssl.org/news/secadv_20140407.txt ) has been released concerning an implementation bug in several versions of the widely used OpenSSL software.
"A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1."
The advisory states that 1.0.1 users can resolve the issue by upgrading to 1.0.1g or recompiling using the -DOPENSSL_NO_HEARTBEATS switch. Users of 1.0.2 will need to wait for the next beta release to get this closed.
This website (link: http://heartbleed.com/ ) has been created to spread accurate details of the bug, which was determined to have been seen in releases of OpenSSL dating back to December 2011. Many websites and services are affected, including Mojang's decision to completely shut down the account authentication servers for Minecraft while the patch is being put in place.
Ars Technica reports that four weeks after its disclosure huge swaths of the Internet remain vulnerable to Heartbleed. The article suggests that over 300,000 servers remain vulnerable.
What steps have you taken to protect yourself from this bug? What browser addons have you installed? Have you checked/updated the firmware on your home router? If you work in IT, what has the reaction been? Has your site been compromised? Has vulnerable code been updated, new keys genned, new certificates obtained, and old ones revoked?
Since the OpenSSL library is now undergoing a security review and a fork of it is underway as LibreSSL, it is possible that other vulnerabilities will be discovered. Then what? How likely is it that we will need to repeat this cleanup effort?
(more after the break)
(Score: 0) by francois.barbier on Thursday April 10 2014, @09:49PM
*Grabs popcorn*
(Score: 3, Funny) by aristarchus on Thursday April 10 2014, @10:27PM
I don't see how popcorn is going to save you from our new Bleeding Heart overlords!!!! It's "game over", man!!! We have to take off and nuke them from orbit. It's the only way to be sure. Popcorn! Ha!
[Note: parent post intentionally misinterpreted for comedic effect. Thank you.]
(Score: 4, Insightful) by iroll on Thursday April 10 2014, @09:51PM
Why single Mojang out here, and with such damning language? How were they any less "in control" than any other company that was using OpenSSL?
People on reddit were scraping user/pass combos from yahoo mail yesterday, for goodness sakes. Care to throw some hysteria their way, as well?
It's not that I give a crap about Mojang, it's just that I can't see how your comment passes the sniff test. Either you know something I don't or you don't know what you're talking about. When it comes to outrageous headlines, I'm inclined to believe the latter.
(Score: 3, Insightful) by Anonymous Coward on Thursday April 10 2014, @09:57PM
Yeah, Mojang seemed among the most responsible with their reactions. They brought things down, patched, and updated their certs. There are still much bigger players that haven't reliably done that (or at least announced it).
(Score: 2) by Angry Jesus on Thursday April 10 2014, @10:42PM
> Either you know something I don't
Have you considered that the submitter is probably a big Minecraft fan and that Mojang is probably at the top of his own list of sites he cares about?
(Score: 1) by iroll on Thursday April 10 2014, @10:53PM
Yes, and I also considered that the submitter is an idiot, neither of which justify the editor keeping the phrase "now I realise [sic] they are not in control of their own data."
(Score: 1, Offtopic) by Angry Jesus on Friday April 11 2014, @12:33AM
Ah, so you are just one of those kinds of people.
(Score: 0, Offtopic) by iroll on Friday April 11 2014, @02:06AM
Yeah, I'm one of those people who thought that clickbait troll headlines were a bug, not a feature. My bad. Carry on.
(Score: 1, Offtopic) by Angry Jesus on Friday April 11 2014, @04:05AM
> Yeah, I'm one of those people who thought that clickbait troll headlines were a bug, not a feature. My bad. Carry on.
One of the kind of people so caught up in the sputtering anger of their own pipsqueak self-righteousness that they start off arguing about a sentence in a story submission and then switch to complaining about a benign headline.
Carry on carrying the weight of all the idiots in the world on your shoulders.
(Score: 0, Offtopic) by iroll on Friday April 11 2014, @04:10AM
Touche; I suppose I meant summary, and not headline. But please, go on. I'd like to hear more about sputtering anger and pipsqueak self-righteousness.
(Score: 0, Offtopic) by Angry Jesus on Friday April 11 2014, @04:52AM
Yeah, well I'd like to not hear any more of your sputtering.
(Score: 1, Insightful) by iroll on Friday April 11 2014, @05:59AM
I'm sorry, Dave. I'm afraid I can't do that.
(Score: 2) by wantkitteh on Friday April 11 2014, @11:49AM
I suppose it could have partially been my fault, I did mention Mojang closing down the Minecraft auth servers in the story I submitted about Heartbleed to illustrate just how widespread this bug's effect was. People expect stories about how this bug and that screw-up leaked 100billion credit card details or patient records or names and addresses of subscribers to Canine Fetish Monthly, we've seen that before. Something widespread enough to leak something as innocent as your Minecraft login should get some attention.
(Score: 1) by iroll on Friday April 11 2014, @05:39PM
That kind of mention I can absolutely understand, but to say "now I realise they are not in control of their own data" is extremely accusatory. It doesn't make them an example of a widespread problem; it calls them out as if they were either particularly neglectful or incompetent, or that they had given their (your) data to a third party that couldn't be trusted, none of which seem to be the case.
When I clicked on the attached article, I expected to read something along the lines of the above (really, I expected to read that they had used an untrustworthy third-party service). Instead, I read that they had taken a particularly conservative approach for the problem. The disconnect between the summary and the article is obnoxious... I read the articles on aggregators like SN because I want to be clued into interesting things and see/participate in a discussion, not to get trolled into clicking on things that don't match the summary. Honestly, the only thing that could have made it more annoying to me would have been if the link had gone to a monetized blog that then linked to the Mojang page :P
(Score: 4, Insightful) by multisync on Thursday April 10 2014, @10:35PM
Telling people to change all of their passwords immediately is a bit of a hysterical reaction. A better approach would be to find out whether sites like you bank and on-line retailers you've done business with are affected by heartbleed and, if they are, changing you passwords *after* they have patched their servers, generated new keys etc.
This [reddit.com] article from Reddit gives details on Canadian financial institutions. You can also use this tool [ssllabs.com] to test whether a domain is vulnerable.
Or you could visit your bank/on-line realtor's website - or call them - to find out whether they are affected and if they have taken necessary steps to resolve the issue.
It's good for people to change their passwords, but changing them on a site that is vulnerable before the site has actually dealt with the problem will do nothing but give the user a false sense of security.
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @10:56PM
No, it's worse than false security -- it purposely puts your password at risk! It makes certain that it's in memory waiting to be snarfed through heartbleed.
You'd be much safer never logging in at all, until you were sure the site fixed its issues.
(Score: 0) by Anonymous Coward on Friday April 11 2014, @08:11AM
As it is, given that 90% out there are unlikely to be ever changing their passwords even after the sites have updated everything, in some countries if "stuff happens" the Court might still side with you - after all did the judge change his own bank passwords? I bet he didn't.
So in such countries you can still login - the banks are the ones who should be worried and should be doing what Mojang/the Minecraft site did- shut everything down till they have updated everything, including installing new HTTPS certs and having the old ones revoked.
If the banks etc don't think the problem is serious enough to do that, I don't see why their users should be changing their passwords. The sites should be partly liable for the problem not the users. After all using openssl is a choice they made. They could be using IIS instead, or Java's SSL/TLS.
(Score: 1) by FakeBeldin on Friday April 11 2014, @09:34AM
Telling people to change all of their passwords immediately is a bit of a hysterical reaction.
True. (It's very 2YK-y.)
On the other hand, if we get them to do that, then... they all just changed all their passwords!
Just the fact that a significant percentage of people will change their passwords (no matter why) is good.
(Score: 3) by VLM on Friday April 11 2014, @11:13AM
"Just the fact that a significant percentage of people will change their passwords (no matter why) is good."
Asking "why" at this juncture is usually interesting. No appeal to authority or tradition, just logic please.
(Score: 1) by monster on Friday April 11 2014, @02:07PM
Pluses:
- It invalidates previously harvested passwords, be it hashed or in cleartext form.
- Most passwords that stand a lot of time do so because they are easy to remember. That usually means they are also vulnerable because of low entropy.
Minuses:
- A lot of people will pick an easily remembered password as their new one, so again low entropy.
- Many people will fail to follow good practices and will use the same password on several sites.
(Score: 2) by Techwolf on Thursday April 10 2014, @10:39PM
Is there a list of sites that are known to been vaulenable?
Has there been any news of any NSA connections of the commiter of the bug? (Some may call it a backdoor due to severity. Easy to do and no trace in the logs.)
(Score: 5, Informative) by Anonymous Coward on Thursday April 10 2014, @10:58PM
This list [github.com] shows the status of the top 10,000 domains. It's not perfect; they only test the main page of the domain, so a bank that keeps its online banking under a subdomain might show up as having no SSL.
(Score: 5, Informative) by mattie_p on Friday April 11 2014, @12:10AM
(Score: 4, Informative) by NCommander on Friday April 11 2014, @12:22AM
While we don't use SSL by default, SN was vulnerable to this; we installed the upgrade shortly after it was published to precise-security. Frontend wise, we use nginx to terminate SSL, then pass the request on to Varnish. Installation was quick, apt-get upgrade && service nginx restart. We also restarted our mysql services so they'd pick up the new code. We're a small site; deployment was quick and easy for eight machines, but for sites with huge farms, especially with those with long time-to-update (i.e., banks), I won't be surprised if it take upwards of a month before everything is updated. That being said, we've not been able to get our SSL certificates re-issued as of yet. As far as I know, all major distros got the patched turned in record time.
That being said, OpenSSL is slagging everywhere; its even in the boot chain if you use Linux + Secure Boot. I'm fairly sure Android uses it, as does many embedded platforms (Cisco was affected by this in many of their products) Their special handling of malloc prevented the bug from being detected via normal detection software; its quite possible there are other memory leaks in OpenSSL that have as of yet remained unnoticed. The big problem is that their is no *great* FOSS SLL library. GnuTLS is absolute garbage under the hood (http://www.openldap.org/lists/openldap-devel/2008 02/msg00072.html), and the only reason Debian/Ubuntu use it is due to the belief that the OpenSSL license is incompatible with the GPL*. It should be noted that this bug slipped through FIPS certificate and the other huge battery of certification tests that OpenSSL routinely gets affected by.
* - the problem is that OpenSSL's license has an adversing clause which is GPL incompatible. The GPL has an exception for linking against "system libraries", but the Debian position is that doesn't cover OpenSSL because its not installed out of the box. Other distros have taken different positions on the issue, but Ubuntu inherts this from Debian, as do most(all?) Debian/Ubuntu derivatives.
Still always moving
(Score: 2) by Hairyfeet on Friday April 11 2014, @12:38AM
I'm sure I'll get hate for saying this but....we care about this in the U.S.S.A why exactly? if there is one thing we should have learned from the Snowden leaks its that the NSA has a MITM at every major terminal point IN the U.S.S.A so you might as well be writing every bit on a giant whiteboard in the middle of town for all the good it'll do.
Remember folks no matter how good your security is it HAS to be unencrypted somewhere and as we learned from Snowden every major provider has an open door for your Big brothers at the NSA. the head of Google was right with him saying privacy is dead, we just didn't know HOW right he was until Snowden. If you wanna change passwords to keep some script kiddie from using your email to peddle fake viagra? Sure go ahead, if you are doing it to keep some lackey at the NSA from reading every thing you do? best to be booking a flight out, no privacy in the U.S.S.A comrade.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 3, Insightful) by NCommander on Friday April 11 2014, @12:54AM
Wow, there's so much wrong here that I'm going to need to break it down.
First, using crypto everywhere means that its difficult to capture in transit. While it is possible to MITN with a fake CA, certificate pinning can go a *long* way in stopping that in its tracks. Once we've finished the site rename, and generated new SSL certificates, I'm going to look into pinning the site so that browsers will explode if they get a MITN certificate. With a pinned certificate, MITN is essentially impossible. Furthermore, we've got security precautions in place to give us a heads up if the server software has been tampered with in case of intrusion, NSA or otherwise. We terminate SSL on the webheads and not on a loadbalancer, so data is only unencrypted within the machine itself; a much harder target to penetrate.
Secondly, a lot of things use SSL with self-signed certificates; we use it internally all over the place; if its not public facing, its signed by our own internal CA. All of that has to be redone because of heartbleed.
Third, do you really want anyone to be able to scope information? No security (or privacy protection) is perfect and a dedicated attacker can probably find a chink in the armor and get in. Right now, if a bank or health care provider is heartbleedable, your information can be leaked, and sold to whoever will buy it.
Yes, having proper security is hard, but your comment is to roll over and let whoever they want screw us. With an attitude like that, the United States would still be a British colony. A battle is only lost when the last person gives up fighting, and apathy is not the solution to the problems in the world.
Still always moving
(Score: 2) by Hairyfeet on Friday April 11 2014, @04:06AM
Exactly HOW am I wrong? remember the "$5 wrench" comrade? Well thanks to Snowden we now know they don't even need a $5 wrench, they just need a side room at AT&T,Google,Yahoo, and pretty much every major ISP and terminal in the country. you might want to look up the telecom immunity blowup and what the whistleblower put out there about what is EXACTLY going on to see why they really don't need your keys, they can flash a badge and copy every single packet not to mention the contents of your emails or anything else they want, no pesky warrants required.
Again if you want to do it to stop script kiddies? Go right ahead, but seeing as it'll take most big places a month or more to get switched probably not gonna help ATM but if you think its gonna stop big bro? Well there is a REASON why we say "if they have access to the hardware you've already lost" because once the hardware is compromised everything else is fucked. unless you are using a VPN to tunnel AND don't have the tunnel ending anywhere in the USA then you are just you are just playing security theater because some lackey at the NSA can push a button and see everything you've done going back years....why do you think they built that massive bunker datacenter in Utah, for fun? when you are blanket capturing THAT much data you gotta have some big ass boxes to pour through the stuff.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 3, Insightful) by J053 on Friday April 11 2014, @02:07AM
You may be entirely correct - the NSA might have MITM capabilities at all Tier1 providers, data centers, etc. That still doesn't mean I want any script-kiddie would-be criminal to be able to snarf my data by hitting a website while I happen to be logged in. I don't trust our Government (or any government, for that matter), but I trust random Internet users even less.
OK - so all your personal data is known to the NSA - really, so what? I know what They (you know, THEM) could do with all that, but what are the odds? If you're a rabid anti-gov activist, or some kind of threat to the powers-that-be, or a spy/drug dealer/Mafioso/whatever, you're justified in being worried about the Gov. watching your packets. For the rest of us, while it *seriously* pisses me off that they are monitoring us as (we've been told) they are, I'm not worried that anyone at NSA is going to run up my credit cards or empty my bank account - if the SSL bug was not fixed, I'd have to worry about that happening by anyone from anywhere.
The (alleged) fact that the NSA is monitoring communications metadata is not a reason to not tighten up our security. In fact, this is a great opportunity to re-do all the root certs out there - maybe move to more sites using self-signed certs; it's harder for the p-t-b to compromise them, and surely we can come up with some way for end-users to confirm that a self-signed (or organizational CA-signed) cert is valid without needing a heirarchical PKI.
(Score: 2, Interesting) by Horse With Stripes on Thursday April 10 2014, @10:40PM
I got lucky and was spared exposure to the vulnerability. As it turns out I never got around to migrating our production servers to the new servers running the latest version of OpenSSL. Our test servers were vulnerable, but they don't have anything of note on them, and no one was using them for the last week or so. The test servers' certs were self signed, so I upgraded the test servers to a safe version of OpenSSL, reset all the passwords and reissued the certs.
This whole thing is a mess, and I worry about which agencies have what info now from mail servers and other popular websites. I expect a lot of MitM attacks on people whose browsers don't check for revoked certificates.
(Score: 2, Informative) by tomtomtom on Thursday April 10 2014, @10:53PM
Is there a list/way of checking for sites/servers which *were* exposed to the bug, but have now fixed it? If they are still exposed to the bug, I can stop using them but if they aren't then what I really want to know is if I need to change my password if they're not affected. Sort of like Have I been Pwned? [haveibeenpwned.com] but for this bug.
(Score: 3, Informative) by mattie_p on Friday April 11 2014, @12:11AM
As I posted elsewhere, check out this site [filippo.io] to test sites you use.
(Score: 1) by tomtomtom on Friday April 11 2014, @08:30AM
Unfortunately that one only tells you if they are *currently* vulnerable, not if they previously looked like they were unless I'm missing something. For example, putting in www.soylentnews.org says "All good, www.soylentnews.org seems fixed or unaffected!" ie it only talks about how it responds now. Still useful, since that means it's safe to change passwords on that site but not what I was hoping for.
(Score: 1) by Bob The Cowboy on Friday April 11 2014, @02:32AM
Unfortunately, the bug has been in the wild for 2 years or so. A site could have been exposed and patched (perhaps unkowingly, maybe even switched to another OS version) before this made headlines, so there would still be a vulnerable window where a bad actor could have been able to exploit. You should pretty much assume that any site that uses SSL could have been affected.
(Score: 2, Interesting) by jcross on Thursday April 10 2014, @10:53PM
Yeah, I've been dealing with the fallout all day, getting new certs pushed out to a whole bunch of servers. I think patching the flaw yesterday was actually the easier part, and I can imagine how hard it must be for bigger companies that are not so big as to have great server admin systems. Along the way I have definitely been underwhelmed with the quality of some of the software that we rely on for essential crypto and other services. I don't mean this as a slight against the openssl developers, but the kind of methods we use to develop complex UI-type applications surprisingly seem to be years, if not decades ahead of the methods used to develop software like openssl. The TLS heartbeat takes IIRC 2 or 3 pieces of user input, and I think anyone doing a decent job of test-driven development would have written some test cases with out-of-bounds values for those. Why are these crypto libraries not backed up with comprehensive test suites? It's not as if they're doing something like a GUI that's hard to write tests against.
(Score: 3, Interesting) by kevinl on Thursday April 10 2014, @11:16PM
The D language makes it so easy to do unit tests that I am finding myself writing them all the time. It's a different mentality, but I have so much more confidence that my code is doing the right thing now. I actually ported some C code over to D, wrote the unit tests to cover the cases provided in the documentation (it was Kermit protocol), and found bugs in my C code I had never seen before. Now both codebases are in much better shape.
(Score: 4, Informative) by NCommander on Friday April 11 2014, @01:23AM
Not arguing against a strong test suite, but the design of OpenSSL's malloc() replacement is what prevented anything like StackProtector from finding and detecting the bug. Had OpenSSL been using normal malloc()/free() this would have been discovered eons ago (Ubuntu ships with -fstack-protector enabled by default, and glibc has a lot of detection code for things like this). In this case, the only way to have caught it is to manually have checked all the TLS output issued by hand and see if it was there.
Still always moving
(Score: 2) by demonlapin on Friday April 11 2014, @02:28AM
(Score: 4, Informative) by NCommander on Friday April 11 2014, @04:54AM
The reason was doing in the name of performance as some platforms apparently have very slow malloc()/free() functionality. There's a good writeup here: http://www.tedunangst.com/flak/post/analysis-of-op enssl-freelist-reuse [tedunangst.com]
Still always moving
(Score: 2) by TheLink on Friday April 11 2014, @04:00PM
(Score: 0) by Anonymous Coward on Thursday April 10 2014, @11:09PM
Note to editors:
...or maybe delete those tags entirely.
The title of the story is formatted as h3.
Another h3 later in the summary doesn't look proper.
Try h4 or h5 next time.
Anyone else want to join me in this whine?
-- gewg_
(Score: 0) by Anonymous Coward on Friday April 11 2014, @05:16AM
Most of the major places that have access to my important info are not a problem.
(Score: 1) by egp on Friday April 11 2014, @12:11PM
This is a great explanation [xkcd.com] of the heartBleed bug for non-techies
(Score: 2) by JeanCroix on Friday April 11 2014, @01:15PM