Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Thursday April 10 2014, @09:45PM   Printer-friendly
from the security-is-important dept.

After reporting the problems with OpenSSL, which has been nicknamed 'HeartBleed', 2 contributors have forward articles on why you should change your passwords.

Heartbleed, and why you should change your password

I always believed Mojang would keep my details safe, now I realise they are not in control of their own data. Mojang/Minecraft passwords should be changed immediately

Heartbleed Bug: Change All Your Passwords

The fallout from the Heartbleed bug is hitting the mainstream. The BBC has an article headlined "Public urged to reset all passwords".

Bruce Schneier calls it "catastrophic", giving this advice to sysadmins: "After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected." He also links to a webpage that will let you test servers for the bug, and an article on Ars Technica discussing the bug.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Techwolf on Thursday April 10 2014, @10:39PM

    by Techwolf (87) on Thursday April 10 2014, @10:39PM (#29746)

    Is there a list of sites that are known to been vaulenable?

    Has there been any news of any NSA connections of the commiter of the bug? (Some may call it a backdoor due to severity. Easy to do and no trace in the logs.)

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 5, Informative) by Anonymous Coward on Thursday April 10 2014, @10:58PM

    by Anonymous Coward on Thursday April 10 2014, @10:58PM (#29756)

    This list [github.com] shows the status of the top 10,000 domains. It's not perfect; they only test the main page of the domain, so a bank that keeps its online banking under a subdomain might show up as having no SSL.

  • (Score: 5, Informative) by mattie_p on Friday April 11 2014, @12:10AM

    by mattie_p (13) on Friday April 11 2014, @12:10AM (#29776) Journal
    I've seen this site [filippo.io] thrown around to test the remote server, but its impossible to come up with an all-inclusive list of all the millions of websites around the world.
  • (Score: 4, Informative) by NCommander on Friday April 11 2014, @12:22AM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Friday April 11 2014, @12:22AM (#29779) Homepage Journal

    While we don't use SSL by default, SN was vulnerable to this; we installed the upgrade shortly after it was published to precise-security. Frontend wise, we use nginx to terminate SSL, then pass the request on to Varnish. Installation was quick, apt-get upgrade && service nginx restart. We also restarted our mysql services so they'd pick up the new code. We're a small site; deployment was quick and easy for eight machines, but for sites with huge farms, especially with those with long time-to-update (i.e., banks), I won't be surprised if it take upwards of a month before everything is updated. That being said, we've not been able to get our SSL certificates re-issued as of yet. As far as I know, all major distros got the patched turned in record time.

    That being said, OpenSSL is slagging everywhere; its even in the boot chain if you use Linux + Secure Boot. I'm fairly sure Android uses it, as does many embedded platforms (Cisco was affected by this in many of their products) Their special handling of malloc prevented the bug from being detected via normal detection software; its quite possible there are other memory leaks in OpenSSL that have as of yet remained unnoticed. The big problem is that their is no *great* FOSS SLL library. GnuTLS is absolute garbage under the hood (http://www.openldap.org/lists/openldap-devel/2008 02/msg00072.html), and the only reason Debian/Ubuntu use it is due to the belief that the OpenSSL license is incompatible with the GPL*. It should be noted that this bug slipped through FIPS certificate and the other huge battery of certification tests that OpenSSL routinely gets affected by.

    * - the problem is that OpenSSL's license has an adversing clause which is GPL incompatible. The GPL has an exception for linking against "system libraries", but the Debian position is that doesn't cover OpenSSL because its not installed out of the box. Other distros have taken different positions on the issue, but Ubuntu inherts this from Debian, as do most(all?) Debian/Ubuntu derivatives.

    --
    Still always moving
    • (Score: 2) by Hairyfeet on Friday April 11 2014, @12:38AM

      by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Friday April 11 2014, @12:38AM (#29784) Journal

      I'm sure I'll get hate for saying this but....we care about this in the U.S.S.A why exactly? if there is one thing we should have learned from the Snowden leaks its that the NSA has a MITM at every major terminal point IN the U.S.S.A so you might as well be writing every bit on a giant whiteboard in the middle of town for all the good it'll do.

      Remember folks no matter how good your security is it HAS to be unencrypted somewhere and as we learned from Snowden every major provider has an open door for your Big brothers at the NSA. the head of Google was right with him saying privacy is dead, we just didn't know HOW right he was until Snowden. If you wanna change passwords to keep some script kiddie from using your email to peddle fake viagra? Sure go ahead, if you are doing it to keep some lackey at the NSA from reading every thing you do? best to be booking a flight out, no privacy in the U.S.S.A comrade.

      --
      ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
      • (Score: 3, Insightful) by NCommander on Friday April 11 2014, @12:54AM

        by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Friday April 11 2014, @12:54AM (#29787) Homepage Journal

        Wow, there's so much wrong here that I'm going to need to break it down.

        First, using crypto everywhere means that its difficult to capture in transit. While it is possible to MITN with a fake CA, certificate pinning can go a *long* way in stopping that in its tracks. Once we've finished the site rename, and generated new SSL certificates, I'm going to look into pinning the site so that browsers will explode if they get a MITN certificate. With a pinned certificate, MITN is essentially impossible. Furthermore, we've got security precautions in place to give us a heads up if the server software has been tampered with in case of intrusion, NSA or otherwise. We terminate SSL on the webheads and not on a loadbalancer, so data is only unencrypted within the machine itself; a much harder target to penetrate.

        Secondly, a lot of things use SSL with self-signed certificates; we use it internally all over the place; if its not public facing, its signed by our own internal CA. All of that has to be redone because of heartbleed.

        Third, do you really want anyone to be able to scope information? No security (or privacy protection) is perfect and a dedicated attacker can probably find a chink in the armor and get in. Right now, if a bank or health care provider is heartbleedable, your information can be leaked, and sold to whoever will buy it.

        Yes, having proper security is hard, but your comment is to roll over and let whoever they want screw us. With an attitude like that, the United States would still be a British colony. A battle is only lost when the last person gives up fighting, and apathy is not the solution to the problems in the world.

        --
        Still always moving
        • (Score: 2) by Hairyfeet on Friday April 11 2014, @04:06AM

          by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Friday April 11 2014, @04:06AM (#29845) Journal

          Exactly HOW am I wrong? remember the "$5 wrench" comrade? Well thanks to Snowden we now know they don't even need a $5 wrench, they just need a side room at AT&T,Google,Yahoo, and pretty much every major ISP and terminal in the country. you might want to look up the telecom immunity blowup and what the whistleblower put out there about what is EXACTLY going on to see why they really don't need your keys, they can flash a badge and copy every single packet not to mention the contents of your emails or anything else they want, no pesky warrants required.

          Again if you want to do it to stop script kiddies? Go right ahead, but seeing as it'll take most big places a month or more to get switched probably not gonna help ATM but if you think its gonna stop big bro? Well there is a REASON why we say "if they have access to the hardware you've already lost" because once the hardware is compromised everything else is fucked. unless you are using a VPN to tunnel AND don't have the tunnel ending anywhere in the USA then you are just you are just playing security theater because some lackey at the NSA can push a button and see everything you've done going back years....why do you think they built that massive bunker datacenter in Utah, for fun? when you are blanket capturing THAT much data you gotta have some big ass boxes to pour through the stuff.

          --
          ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
      • (Score: 3, Insightful) by J053 on Friday April 11 2014, @02:07AM

        by J053 (3532) <dakineNO@SPAMshangri-la.cx> on Friday April 11 2014, @02:07AM (#29800) Homepage

        You may be entirely correct - the NSA might have MITM capabilities at all Tier1 providers, data centers, etc. That still doesn't mean I want any script-kiddie would-be criminal to be able to snarf my data by hitting a website while I happen to be logged in. I don't trust our Government (or any government, for that matter), but I trust random Internet users even less.

        OK - so all your personal data is known to the NSA - really, so what? I know what They (you know, THEM) could do with all that, but what are the odds? If you're a rabid anti-gov activist, or some kind of threat to the powers-that-be, or a spy/drug dealer/Mafioso/whatever, you're justified in being worried about the Gov. watching your packets. For the rest of us, while it *seriously* pisses me off that they are monitoring us as (we've been told) they are, I'm not worried that anyone at NSA is going to run up my credit cards or empty my bank account - if the SSL bug was not fixed, I'd have to worry about that happening by anyone from anywhere.

        The (alleged) fact that the NSA is monitoring communications metadata is not a reason to not tighten up our security. In fact, this is a great opportunity to re-do all the root certs out there - maybe move to more sites using self-signed certs; it's harder for the p-t-b to compromise them, and surely we can come up with some way for end-users to confirm that a self-signed (or organizational CA-signed) cert is valid without needing a heirarchical PKI.