1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

General News Heartbleed bug?

Discussion in 'Current Events, World News, & LGBT News' started by ChloeKiss, Apr 11, 2014.

  1. ChloeKiss

    ChloeKiss Guest

    Joined:
    Jan 14, 2014
    Messages:
    1,257
    Likes Received:
    2
    Location:
    Queensland, Australia
    Hey guys I just logged into my computer and this warning came up saying heartbleed bug? Apparently some sites are unsafe and our passwords are at risk? People can get into our credit cards? I'm really worried.. Has anyone else got a warning? What have you done about it?
     
  2. Emulator

    Full Member

    Joined:
    Aug 24, 2013
    Messages:
    153
    Likes Received:
    0
    Location:
    Free-loading on Mars
  3. Kasey

    Full Member

    Joined:
    Dec 21, 2013
    Messages:
    6,385
    Likes Received:
    162
    Location:
    The Commonwealth of Massachusetts
    Gender:
    Female (trans*)
    Sexual Orientation:
    Bisexual
    Out Status:
    Out to everyone
    So I shouldn't like log into anywhere?
     
  4. Jinkies

    Full Member

    Joined:
    Oct 27, 2011
    Messages:
    2,321
    Likes Received:
    47
    Location:
    Northern Ireland
    Gender:
    Female (trans*)
    Gender Pronoun:
    She
    Sexual Orientation:
    Bisexual
    Out Status:
    Out to everyone
    ^No, it's a bug that was found in the security software of many servers. Doesn't mean don't log in. Just means you're gonna want to change your password asap.
     
  5. Kasey

    Full Member

    Joined:
    Dec 21, 2013
    Messages:
    6,385
    Likes Received:
    162
    Location:
    The Commonwealth of Massachusetts
    Gender:
    Female (trans*)
    Sexual Orientation:
    Bisexual
    Out Status:
    Out to everyone
    I have like a gazillion ones...

    Well apparently my bank and amazon aren't susceptible. Maybe ebay I might go change and my yahoo mail...
     
    #5 Kasey, Apr 11, 2014
    Last edited: Apr 11, 2014
  6. Emulator

    Full Member

    Joined:
    Aug 24, 2013
    Messages:
    153
    Likes Received:
    0
    Location:
    Free-loading on Mars
    Only on sites that use OpenSSL.
     
  7. Kasey

    Full Member

    Joined:
    Dec 21, 2013
    Messages:
    6,385
    Likes Received:
    162
    Location:
    The Commonwealth of Massachusetts
    Gender:
    Female (trans*)
    Sexual Orientation:
    Bisexual
    Out Status:
    Out to everyone
    So there is a difference between OpenSSL and a proprietary SSL right?
     
  8. Emulator

    Full Member

    Joined:
    Aug 24, 2013
    Messages:
    153
    Likes Received:
    0
    Location:
    Free-loading on Mars
    Yes, it's more of a software than a SSL certificate...which is why it has bugs.
     
  9. WeirdnessMagnet

    Regular Member

    Joined:
    Dec 26, 2011
    Messages:
    479
    Likes Received:
    0
    Location:
    Klein sexuality bottle
    Gender:
    Genderqueer
    Gender Pronoun:
    Other
    Sexual Orientation:
    Bisexual
    Out Status:
    Some people
    And only on sites that use versions of OpenSSL that were released in the last two years (and not even all of them.)

    Which still means roughly 3/4 of the Web. :frowning2:

    And, although passwords and credit cards are bad enough, that's just fish... The fishing rod is that a hacker can get private keys to SSL certificates and use them to set up all kinds of attacks, up to and including Stuxnet-style trojans, which staid undetected because they were signed with a stolen keys from legit hardware manufacturers. Only this time around a hacker doesn't need to be whatever major intelligence agency wrote them, he just needs one unpatched server...

    So, that lock icon or that driver certificate won't mean what they used to mean for quite a while...
     
    #9 WeirdnessMagnet, Apr 11, 2014
    Last edited: Apr 11, 2014
  10. Chip

    Board Member Admin Team Advisor Full Member

    Joined:
    May 9, 2008
    Messages:
    16,551
    Likes Received:
    4,750
    Location:
    northern CA
    Gender:
    Male
    Gender Pronoun:
    He
    Sexual Orientation:
    Gay
    Out Status:
    Out to everyone
    Most reputable providers (including our ISP) updated their servers within a few hours of the bug being reported. You should still change passwords out of an abundance of caution, but the exploit was not widely known, and once discovered, major providers (Google, Facebook, cloud providers) were made aware of the bug and fixed it before a public announcement was made. So for the most part, things should be pretty safe at this point if you stick with major companies... and within a few days, I think just about every server on the Net will likely have been updated.
     
  11. WeirdnessMagnet

    Regular Member

    Joined:
    Dec 26, 2011
    Messages:
    479
    Likes Received:
    0
    Location:
    Klein sexuality bottle
    Gender:
    Genderqueer
    Gender Pronoun:
    Other
    Sexual Orientation:
    Bisexual
    Out Status:
    Some people
    As far as widely-used services by major Internet companies go, probably yes... And I expect them to eventually do the right thing and re-certify too, just in case. But would every Boondocks Banking Co. and Obscure Semiconductor LLC be as prompt? (and if I was the bad guy in it for the money or a spy those would be my prime targets, not Yahoo or Google. Same reward, much less risk.)
     
  12. mnguy

    Full Member

    Joined:
    Nov 12, 2006
    Messages:
    2,377
    Likes Received:
    450
    Location:
    Mountain hermitage
    Gender:
    Male
    Gender Pronoun:
    He
    Sexual Orientation:
    Gay
    Out Status:
    Some people
    How do you know when a website has fixed the problem on their end so you know it's safe to change your password?
     
  13. Pret Allez

    Full Member

    Joined:
    Apr 19, 2012
    Messages:
    6,785
    Likes Received:
    67
    Location:
    Seattle, WA
    Gender:
    Female (trans*)
    Gender Pronoun:
    She
    Sexual Orientation:
    Bisexual
    Out Status:
    Some people
    It was a TLS heartbeat read overrun that is found in OpenSSL versions 1.0.1 to 1.0.1f. It was fixed in 1.0.1g.

    An attacker could use the buffer overrun to read up to 64K of secret data from a web server. It is possible that some SSL private keys may have been compromised, and attackers were able to either impersonate the organization running the website and/or to steal private information like user credentials and financial information.

    We do not know the scope of the compromise.
     
  14. sldanlm

    Full Member

    Joined:
    Oct 31, 2013
    Messages:
    1,322
    Likes Received:
    1
    Location:
    Eastern U.S.A. commuter
    Gender:
    Female
    Gender Pronoun:
    She
    Sexual Orientation:
    Bisexual
    Out Status:
    Some people
  15. CyberStar

    Regular Member

    Joined:
    Mar 10, 2014
    Messages:
    102
    Likes Received:
    0
    Location:
    The Death Star
    Gender:
    Female (trans*)
    Man, this is evil... This is why I use hundred-charachter passwords on my sites that allow it (stupid Microsoft).