Stories
Slash Boxes
Comments

SoylentNews is people

OpenSSL: Heartbleed - the Fallout.

posted by janrinok on Thursday April 10 2014, @09:45PM   Printer-friendly
from the security-is-important dept.

After reporting the problems with OpenSSL, which has been nicknamed 'HeartBleed', 2 contributors have forward articles on why you should change your passwords.

Heartbleed, and why you should change your password

I always believed Mojang would keep my details safe, now I realise they are not in control of their own data. Mojang/Minecraft passwords should be changed immediately

Heartbleed Bug: Change All Your Passwords

An anonymous coward writes:

The fallout from the Heartbleed bug is hitting the mainstream. The BBC has an article headlined "Public urged to reset all passwords".

Bruce Schneier calls it "catastrophic", giving this advice to sysadmins: "After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected." He also links to a webpage that will let you test servers for the bug, and an article on Ars Technica discussing the bug.

 
This discussion has been archived. No new comments can be posted.
OpenSSL: Heartbleed - the Fallout. | Log In/Create an Account | Top | 43 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by multisync on Thursday April 10 2014, @10:35PM

    by multisync (4002) on Thursday April 10 2014, @10:35PM (#29743)

    Telling people to change all of their passwords immediately is a bit of a hysterical reaction. A better approach would be to find out whether sites like you bank and on-line retailers you've done business with are affected by heartbleed and, if they are, changing you passwords *after* they have patched their servers, generated new keys etc.

    This [reddit.com] article from Reddit gives details on Canadian financial institutions. You can also use this tool [ssllabs.com] to test whether a domain is vulnerable.

    Or you could visit your bank/on-line realtor's website - or call them - to find out whether they are affected and if they have taken necessary steps to resolve the issue.

    It's good for people to change their passwords, but changing them on a site that is vulnerable before the site has actually dealt with the problem will do nothing but give the user a false sense of security.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=2, Informative=1, Total=3
    Extra 'Insightful' Modifier   0  
    Total Score:   4  

  • (Score: 0) by Anonymous Coward on Thursday April 10 2014, @10:56PM

    by Anonymous Coward on Thursday April 10 2014, @10:56PM (#29754)

    No, it's worse than false security -- it purposely puts your password at risk! It makes certain that it's in memory waiting to be snarfed through heartbleed.

    You'd be much safer never logging in at all, until you were sure the site fixed its issues.

    • (Score: 0) by Anonymous Coward on Friday April 11 2014, @08:11AM

      by Anonymous Coward on Friday April 11 2014, @08:11AM (#29912)
      Mod parent up. If the sites haven't fixed the problems yet, it's a BAD idea to change your passwords or even log in. It will take quite a while. If you are really paranoid you have to wait for them to use new SSL certificates (if the hackers have all the secrets they could MITM you with the old certs)

      As it is, given that 90% out there are unlikely to be ever changing their passwords even after the sites have updated everything, in some countries if "stuff happens" the Court might still side with you - after all did the judge change his own bank passwords? I bet he didn't. ;).

      So in such countries you can still login - the banks are the ones who should be worried and should be doing what Mojang/the Minecraft site did- shut everything down till they have updated everything, including installing new HTTPS certs and having the old ones revoked.

      If the banks etc don't think the problem is serious enough to do that, I don't see why their users should be changing their passwords. The sites should be partly liable for the problem not the users. After all using openssl is a choice they made. They could be using IIS instead, or Java's SSL/TLS.

  • (Score: 1) by FakeBeldin on Friday April 11 2014, @09:34AM

    by FakeBeldin (3360) on Friday April 11 2014, @09:34AM (#29938) Journal

    Telling people to change all of their passwords immediately is a bit of a hysterical reaction.
    True. (It's very 2YK-y.)

    On the other hand, if we get them to do that, then... they all just changed all their passwords!
    Just the fact that a significant percentage of people will change their passwords (no matter why) is good.

    • (Score: 3) by VLM on Friday April 11 2014, @11:13AM

      by VLM (445) on Friday April 11 2014, @11:13AM (#29969)

      "Just the fact that a significant percentage of people will change their passwords (no matter why) is good."

      Asking "why" at this juncture is usually interesting. No appeal to authority or tradition, just logic please.

      • (Score: 1) by monster on Friday April 11 2014, @02:07PM

        by monster (1260) on Friday April 11 2014, @02:07PM (#30054) Journal

        Pluses:
        - It invalidates previously harvested passwords, be it hashed or in cleartext form.
        - Most passwords that stand a lot of time do so because they are easy to remember. That usually means they are also vulnerable because of low entropy.

        Minuses:
        - A lot of people will pick an easily remembered password as their new one, so again low entropy.
        - Many people will fail to follow good practices and will use the same password on several sites.