Change your passwords

Glenn · Apr 09, 2014, 19:33:39

"Catastrophic is the right word. On the scale of one to 10, this is an 11,"

http://www.bbc.co.uk/news/technology-26954540

Simon · Apr 09, 2014, 19:45:37

:aarrgh:

Technical Ben · Apr 10, 2014, 00:00:41

Hmmmm... I wonder if I can even remember half of them.

zappaDPJ · Apr 10, 2014, 02:57:31

Very much related to this: http://www.idnetters.co.uk/forums/index.php/topic,32024.0.html

It's all very well running around changing all your passwords but how do you know that the servers have been adequately patched? In fact, just logging in to change a password might actually reveal both the old and new password to an attacker. In my view this is potentially bad advice being given out by uninformed reporters.

Gary · Apr 10, 2014, 07:45:19

This bug has been around since 2011, yes its bad but as Zap said changing all your passwords is a tad over the top, even that sensationalist BBC story at the end quotes another source saying you don't have to, unless told too really. The BBC likes its headlines to be scary...

Steve · Apr 10, 2014, 08:16:47

The BBC seems to be as useful as the Daily Mail and the Daily Express these days, sensationalistic cr*p.

Gary · Apr 10, 2014, 08:20:56

There's been a lot of concern about the OpenSSL Heartbleed bug, which is a vulnerability that allows theft of information that's normally protected by the SSL/TLS encryption used to secure many Internet sites and services. Well, thanks to a tip from former TUAW-er Damien Barrett, those of us who run OS X and OS X Server can breathe a bit easier. No versions of OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version of shipped by Apple in an OS was 0.9.8y, which is a branch not affected by this bug. So unless you've installed OpenSSL via MacPorts or Homebrew, your public-facing OS X servers/services should be immune to this bug." Also OpenSSL has never been provided as part of iOS"

http://www.tuaw.com/2014/04/09/why-the-openssl-heartbleed-bug-doesnt-affect-os-x-or-os-x-serve/

Gary · Apr 10, 2014, 08:53:04

Facebook, Google, Dropbox and now Yahoo mail are safe, although yahoo was vulnerable for a while. IDNet test safe too from what I can see although the encryption says weak

Natwest seems safe too but whether it was is another thing as with many of these sites, running about changing them seems over the top though, and the BBC is just spreading panic for headlines.

Technical Ben · Apr 10, 2014, 10:18:04

Quotealthough yahoo was vulnerable for a while

It's Yahoo... need we say more? (Well, if I do, they've been in lots of trouble, ranging from employees giving out details to make cash, to loosing it by mistake)

Gary · Apr 10, 2014, 10:39:26

Quote from: Technical Ben on Apr 10, 2014, 10:18:04
It's Yahoo... need we say more? (Well, if I do, they've been in lots of trouble, ranging from employees giving out details to make cash, to loosing it by mistake)

Well considering Yahoo is used for BT Mail I imagine some people were concerned as they just use the default email service. Other firms are just as bad, and since this bug effects maybe 66% of servers world wide its not really yahoos fault this time.

zappaDPJ · Apr 10, 2014, 15:29:29

I probably ought to say that although I'd advise you not change all your passwords this is a problem that should be taken very seriously now that the knowledge of it is in the public domain. To put some perspective on the matter here's a list of 10,000 sites that are or were vulnerable: https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt This provides a reasonable explanation of how the exploit works: http://heartbleed.com/

The short version is up until a week ago your stuff was as safe or as unsafe as it's ever been. Now knowledge of this flaw is in the public domain your stuff is not safe at all if it's sitting on servers that remain vulnerable. If that is the case you should wait for the service provider to patch the flaw and then change your password.

On a more positive note this has provided me with more work than I can possibly cope with!

Simon · Apr 10, 2014, 17:30:21

Christ, that's a hell of a lot to go through checking if they're sites one uses!

What does 'No SSL' mean, against some of them? I've checked a few and they seem secure in my browser.

Gary · Apr 10, 2014, 18:22:46

Thankfully my stuff is on very few sites and servers and they are all patched and hunky dory. The internet is getting to be a horrendous pain in the backside, oh look I have a garden and its sunny...

Bill · Apr 10, 2014, 19:03:39

An idiot's guide from the Daily Telegraph:

http://www.telegraph.co.uk/technology/internet-security/10756807/Heartbleed-bug-which-passwords-should-you-change.html

Open government? Who needs it...

Simon · Apr 10, 2014, 19:10:35

The 'this website' link on there takes me to a Spotify page asking me to login via Facebook.

Bill · Apr 10, 2014, 19:15:11

Don't understand that, works fine for me- straight to the DT page

Simon · Apr 10, 2014, 19:38:19

Just cleared iPhone cache and history and it's fine now.

Bill · Apr 10, 2014, 19:50:41

'Tis a wondrous thing, the internet

Technical Ben · Apr 10, 2014, 20:49:50

Quote from: Simon on Apr 10, 2014, 17:30:21
Christ, that's a hell of a lot to go through checking if they're sites one uses! What does 'No SSL' mean, against some of them? I've checked a few and they seem secure in my browser.

Most probably that the site does not use SSL so is "safe".

Simon · Apr 10, 2014, 20:52:10

OK, I'll put my Mr Thick hat on, but that sounds like a contradiction in terms. I thought SSL meant it IS secure.

Steve · Apr 10, 2014, 21:46:17

So is a Safe unless you give away the combination.

Technical Ben · Apr 10, 2014, 21:51:22

Quote from: Simon on Apr 10, 2014, 20:52:10
OK, I'll put my Mr Thick hat on, but that sounds like a contradiction in terms. I thought SSL meant it IS secure.

It's "safe from the bug" because it does not use SSL. Like saying "safe from lock pickers" because it has no locks...

(Hence me putting safe in quotations. It's not really safe from all things, just this one instance. Or at the least, is not a data collecting site, so has no need for SSL)

Gary · Apr 10, 2014, 22:02:18

Mkaes me laugh oddly, google said no need to change password then the telegraph says you have to, unless google facebook etc tell me I'm doing nothing.

zappaDPJ · Apr 11, 2014, 14:37:19

Quote from: Simon on Apr 10, 2014, 20:52:10
OK, I'll put my Mr Thick hat on, but that sounds like a contradiction in terms. I thought SSL meant it IS secure.

In theory yes, but in reality it turns out running SSL has given attackers an entry point to exploit. Systems running it have been less secure than systems that don't run it all. However nobody knows if anyone has actually exploited the entry point because it would leave no trace if they did. For all we know all our stuff has already been harvested or more likely (I think) it hasn't been touched at all. It certainly became a thousand times more vulnerable during the window when this became public knowledge until such time that the servers were patched. I'd like to think anything important has already been patched by now.