Upvote Upvoted 11 Downvote Downvoted
Heartbleed
posted in Off Topic
1
#1
10 Frags +

Edit: Steam is officially safe according to valve. You should be fine. If you are still worried, change your password when Steam Community receives a new SSL certificate. Plenty of sites are still vulnerable, so continue being careful. [/b]

--------------

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

More info:
http://heartbleed.com/
http://lifehacker.com/what-the-heartbleed-security-bug-means-for-you-1560801201
http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

http://puu.sh/80FYo.png

http://i.imgur.com/uw1TQm1.png

http://snag.gy/V73eo.jpg

Be careful gamers

[b]Edit:[/b] Steam is officially safe according to valve. You should be fine. If you are still worried, change your password when Steam Community receives a new SSL certificate. Plenty of sites are still vulnerable, so continue being careful. [/b]

--------------

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

[b]The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.[/b] This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

More info:
http://heartbleed.com/
http://lifehacker.com/what-the-heartbleed-security-bug-means-for-you-1560801201
http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

[img]http://puu.sh/80FYo.png[/img]
[img]http://i.imgur.com/uw1TQm1.png[/img]
[img]http://snag.gy/V73eo.jpg[/img]

Be careful gamers
2
#2
0 Frags +

http://gyazo.com/c3b260444dac06f8cbc38ecaa18e7aa3
fixed 4 now

http://gyazo.com/c3b260444dac06f8cbc38ecaa18e7aa3
fixed 4 now
3
#3
-1 Frags +
Super-http://gyazo.com/c3b260444dac06f8cbc38ecaa18e7aa3
fixed 4 now

https://twitter.com/SteamDB/status/453582179759841280

Might be a false positive, so I'd still be careful

[quote=Super-]http://gyazo.com/c3b260444dac06f8cbc38ecaa18e7aa3
fixed 4 now[/quote]

https://twitter.com/SteamDB/status/453582179759841280

Might be a false positive, so I'd still be careful
4
#4
9 Frags +

what is the risk of getting heart bleeded on

what is the risk of getting heart bleeded on
5
#5
0 Frags +
Oblivionagewhat is the risk of getting heart bleeded on

If the affected sites don't patch it really soon, I'd imagine pretty high, considering hackers will quickly exploit this bug and download the heaps of data that they can get. So the way to be safe is don't log in to any of the affected sites, and change your password on these sites as soon as they are patched.

[quote=Oblivionage]what is the risk of getting heart bleeded on[/quote]

If the affected sites don't patch it really soon, I'd imagine pretty high, considering hackers will quickly exploit this bug and download the heaps of data that they can get. So the way to be safe is don't log in to any of the affected sites, and change your password on these sites as soon as they are patched.
6
#6
1 Frags +

Risk depends on the web services you use and how quickly the server operators react to this exploit. Most linux distributions have already released patches for this exploit, but it is up to the companies and their security teams to actually update and adjust.

To put things in perspective, it took me half an hour to patch Debian stable, restart processes that depend on openssl, and regenerate ssh keys that could have been compromised over three of my servers. Many companies have hundreds, if not thousands, of servers that will need to be updated. If you're super paranoid, then you should not use any services that show up as exploitable in that test someone posted above. I expect most high traffic sites to be updated by now but - if not - definitely by the end of the business day. There will likely be some sites that will ask you to change your password upon login due to the exploit.

Server ops will be super busy today.

Risk depends on the web services you use and how quickly the server operators react to this exploit. Most linux distributions have already released patches for this exploit, but it is up to the companies and their security teams to actually update and adjust.

To put things in perspective, it took me half an hour to patch Debian stable, restart processes that depend on openssl, and regenerate ssh keys that could have been compromised over three of my servers. Many companies have hundreds, if not thousands, of servers that will need to be updated. If you're super paranoid, then you should not use any services that show up as exploitable in that test someone posted above. I expect most high traffic sites to be updated by now but - if not - definitely by the end of the business day. There will likely be some sites that will ask you to change your password upon login due to the exploit.

Server ops will be super busy today.
7
#7
1 Frags +

what kind of sites are most likely to be targeted?

what kind of sites are most likely to be targeted?
8
#8
0 Frags +
reddwhat kind of sites are most likely to be targeted?

I'd figure services like banks and the like. Anything that might hold confidential/secure information.

[quote=redd]what kind of sites are most likely to be targeted?[/quote]
I'd figure services like banks and the like. Anything that might hold confidential/secure information.
9
#9
0 Frags +

possibly websites you can purchase stuff from. i'm not too familiar with this, but that would be my guess. banks would also make sense.

possibly websites you can purchase stuff from. i'm not too familiar with this, but that would be my guess. banks would also make sense.
10
#10
3 Frags +

So essentially after I run this HeartBleed test on a domain that I have login info on if it comes up unaffected I should be good to go to change that pw now?

ESEA.NET just came back as vulnerable, for whatever that is worth.

Most major sites I tried seemed to be working and saying they were unaffected according to that heartbleed tester site.

So what is the next step for users? Change our passwords and such?

edit.

yahoo is still vulnerable as of right now too.'

edit

seem it isnt vulnerable anymore?

So essentially after I run this HeartBleed test on a domain that I have login info on if it comes up unaffected I should be good to go to change that pw now?

ESEA.NET just came back as vulnerable, for whatever that is worth.

Most major sites I tried seemed to be working and saying they were unaffected according to that heartbleed tester site.

So what is the next step for users? Change our passwords and such?

edit.

yahoo is still vulnerable as of right now too.'

edit

seem it isnt vulnerable anymore?
11
#11
0 Frags +

http://i.imgur.com/JHfA3Ot.png

I think my Heartbleed-check-ception confused it, been loading for quite a few minutes now. Maybe it's cause of the http or something but I never manually added that.

[img]http://i.imgur.com/JHfA3Ot.png[/img]
I think my Heartbleed-check-ception confused it, been loading for quite a few minutes now. Maybe it's cause of the http or something but I never manually added that.
12
#12
3 Frags +
Forty-Twohttp://i.imgur.com/JHfA3Ot.png
I think my Heartbleed-check-ception confused it, been loading for quite a few minutes now. Maybe it's cause of the http or something but I never manually added that.

I don't know how it handles "http://";, because there's no encryption for http, only https.
Apparently port 443 (port used for https) isn't even open on filippo.io.

[quote=Forty-Two][img]http://i.imgur.com/JHfA3Ot.png[/img]
I think my Heartbleed-check-ception confused it, been loading for quite a few minutes now. Maybe it's cause of the http or something but I never manually added that.[/quote]
I don't know how it handles "http://", because there's no encryption for http, only https.
Apparently port 443 (port used for https) isn't even open on filippo.io.
13
#13
2 Frags +

Dont change your passwords until the website in question gets a new certification key. Just because they aren't vulnerable to have their SSL key retrieved anymore, doesn't mean that someone doesn't have the current key.

Dont change your passwords until the website in question gets a new certification key. Just because they aren't vulnerable to have their SSL key retrieved anymore, doesn't mean that someone doesn't have the current key.
14
#14
8 Frags +

How does one know when they have a new cert key?

What other steps should us lowly non-computer savvy peasants take?

How does one know when they have a new cert key?

What other steps should us lowly non-computer savvy peasants take?
15
#15
1 Frags +

Unfortunately i'm also not that wise on things like that. This is just something that i've gathered reading around. Odds are valve will get something done very quickly though. They have a lot of customers. Sorry I can't help with that :/

Unfortunately i'm also not that wise on things like that. This is just something that i've gathered reading around. Odds are valve will get something done very quickly though. They have a lot of customers. Sorry I can't help with that :/
16
#16
1 Frags +

Steam should be safe now
https://mobile.twitter.com/SteamDB

Steam should be safe now
https://mobile.twitter.com/SteamDB
17
#17
2 Frags +
WithADanceNumbervalve will get something done very quickly

???

[quote=WithADanceNumber]valve will get something done very quickly [/quote]
???
18
#18
2 Frags +
shadeSo essentially after I run this HeartBleed test on a domain that I have login info on if it comes up unaffected I should be good to go to change that pw now?

ESEA.NET just came back as vulnerable, for whatever that is worth.

Most major sites I tried seemed to be working and saying they were unaffected according to that heartbleed tester site.

So what is the next step for users? Change our passwords and such?

edit.

yahoo is still vulnerable as of right now too.'

edit

seem it isnt vulnerable anymore?

When a site is vulernable, (requoting) it means even if you change it, you'll still be hijacked from hackers.

Once the site issues a security certificate, (new one) you can change it.

[quote=shade]So essentially after I run this HeartBleed test on a domain that I have login info on if it comes up unaffected I should be good to go to change that pw now?

ESEA.NET just came back as vulnerable, for whatever that is worth.

Most major sites I tried seemed to be working and saying they were unaffected according to that heartbleed tester site.

So what is the next step for users? Change our passwords and such?

edit.

yahoo is still vulnerable as of right now too.'

edit

seem it isnt vulnerable anymore?[/quote]

When a site is vulernable, (requoting) it means even if you change it, you'll still be hijacked from hackers.

Once the site issues a security certificate, (new one) you can change it.
19
#19
5 Frags +
WithADanceNumberDont change your passwords until the website in question gets a new certification key. Just because they aren't vulnerable to have their SSL key retrieved anymore, doesn't mean that someone doesn't have the current key.

Please listen to this smart man.

With WinXP support ending and this crap, I am having a field day at work today.

[quote=WithADanceNumber]Dont change your passwords until the website in question gets a new certification key. Just because they aren't vulnerable to have their SSL key retrieved anymore, doesn't mean that someone doesn't have the current key.[/quote]
Please listen to this smart man.

With WinXP support ending and this crap, I am having a field day at work today.
Please sign in through STEAM to post a comment.