39 posts in this topic

Posted

Thanks.. it's fixed... cookie removed and it worked

i refer you to my previous post

 

log out and then back in. a new password cookie needs to be created for the front page

Share this post


Link to post
Share on other sites

Posted

Considering I forgot my password and had it generated and emailed to me, i'm not worried... :laugh:

Share this post


Link to post
Share on other sites

Posted

I like to change mine every few months (using the max amount of letters) so changing it again is no biggie!

Share this post


Link to post
Share on other sites

Posted

Isn't that only if you google or some how get duped into clicking on a fake Neowin link. If you bookmark neowin and use that we should be ok.

 

Also you can use this link https://www.ssllabs.com/ to check sites to see if they are vulnerable to the heartbleed vulnerability.

 

Depends on how paranoid you are. We (should) know all too well how extensively certain people are breaching our privacy and security, in particular systems administrators in some respects. A compromised certificate not only helps to add legitimacy to a phishing attack (which could perhaps be avoided with the use of a bookmark, as you suggest), but also to MITM attacks.

 

The vulnerability exposes application memory content, which could expose authentication credentials of user's logging in, or potentially even the site/service's private key (there seems to be some debate about this). Patching the hole prevents further data leakage, however there's still a problem if the private key was indeed compromised.

 

If the private key is indeed compromised:

 - Any secure communications without PFS are also compromised. This applies to all past and future communications, regardless as to whether the patch has been applied.

 - Communications protected with PFS are a little more complicated. They require that session keys are compromised independently from the RSA private key. If there's a possibility of private keys being leaked, there's certainly also a possibility of session keys being leaked, though it occurs to me that having to fish the right session key out of memory for a given communication might be a slightly trickier challenge. If it is possible, communications that have taken place prior to servers being patched may have been compromised. Communications taking place after the servers having been patched are secure, despite the private key having been compromised, but only as long as you are communicating with the correct servers.

 - Whether or not PFS is used, if the RSA private key is compromised, it is possible for an attacker to perform a MITM attack. PFS isn't going to do anything to protect you in this case.

 

Whether or not the certificate needs replacing depends on whether it has been possible for it to have been leaked through vulnerable application software, which as I mentioned seems to perhaps be under dispute. If it is indeed possible that the certificate may have been compromised, it is pointless for us to change our passwords prior to the certificate being replaced.

 

I really want to see this whole mess cleaned up as quickly as possible and I'd much rather see website/service owners assuming the worst case scenario and immediately replacing certificates than delaying things by spending time trying to understand and identify whether the architecture of the webserver software (or whatever) that they have been running over the past few years may perhaps have allowed the private key to be leaked in order to make a decision as to whether or not to go ahead with a replacement.

Share this post


Link to post
Share on other sites

Posted

Depends on how paranoid you are. We (should) know all too well how extensively certain people are breaching our privacy and security, in particular systems administrators in some respects. A compromised certificate not only helps to add legitimacy to a phishing attack (which could perhaps be avoided with the use of a bookmark, as you suggest), but also to MITM attacks.

 

The vulnerability exposes application memory content, which could expose authentication credentials of user's logging in, or potentially even the site/service's private key (there seems to be some debate about this). Patching the hole prevents further data leakage, however there's still a problem if the private key was indeed compromised.

 

If the private key is indeed compromised:

 - Any secure communications without PFS are also compromised. This applies to all past and future communications, regardless as to whether the patch has been applied.

 - Communications protected with PFS are a little more complicated. They require that session keys are compromised independently from the RSA private key. If there's a possibility of private keys being leaked, there's certainly also a possibility of session keys being leaked, though it occurs to me that having to fish the right session key out of memory for a given communication might be a slightly trickier challenge. If it is possible, communications that have taken place prior to servers being patched may have been compromised. Communications taking place after the servers having been patched are secure, despite the private key having been compromised, but only as long as you are communicating with the correct servers.

 - Whether or not PFS is used, if the RSA private key is compromised, it is possible for an attacker to perform a MITM attack. PFS isn't going to do anything to protect you in this case.

 

Whether or not the certificate needs replacing depends on whether it has been possible for it to have been leaked through vulnerable application software, which as I mentioned seems to perhaps be under dispute. If it is indeed possible that the certificate may have been compromised, it is pointless for us to change our passwords prior to the certificate being replaced.

 

I really want to see this whole mess cleaned up as quickly as possible and I'd much rather see website/service owners assuming the worst case scenario and immediately replacing certificates than delaying things by spending time trying to understand and identify whether the architecture of the webserver software (or whatever) that they have been running over the past few years may perhaps have allowed the private key to be leaked in order to make a decision as to whether or not to go ahead with a replacement.

 

yeah, it's the best and the fastest scenario. Yahoo changed their certificate some hours ago, for example.

Share this post


Link to post
Share on other sites

Posted

As pointed out by others, the password changes really only have an effect if the certificate was also updated. This morning a certificate renewal was requested and I can confirm that it has now been updated.

 

So if it's not too much hassle, change those passes again :p

2 people like this

Share this post


Link to post
Share on other sites

Posted

So if it's not too much hassle, change those passes again :p

 

roflol

 

now i'm gonna update the password (for the first time in decade).

 

thanks Neobond!

1 person likes this

Share this post


Link to post
Share on other sites

Posted

Changed, thanks.

Share this post


Link to post
Share on other sites

Posted

As pointed out by others, the password changes really only have an effect if the certificate was also updated. This morning a certificate renewal was requested and I can confirm that it has now been updated.

 

So if it's not too much hassle, change those passes again tongue.png

 

I can't seem to get the new cert... :(

 

I've ctrl+f5'd, I've cleared all history, and I've tried switching to chrome. I'd presume it might be some cache between me and the server, but even lastpass and ssllabs are only seeing the old date...

Share this post


Link to post
Share on other sites

Posted

Not worried, I use a disposable password for forums :)

Share this post


Link to post
Share on other sites

Posted

Maybe wise to post this on the front page? Or send a general mail to all the members to let them know?

Share this post


Link to post
Share on other sites

Posted

Fake! The hammer never dropped!!   

Does it need to be real? :o

Share this post


Link to post
Share on other sites

Posted

This should be front page, though.

Share this post


Link to post
Share on other sites

Posted

wall-of-text

 

Ugh, you didn't quote the entire post of the user who posted right before you - did you. xD

Btw., for anyone serious about passwords (meaning not anyone who's posted in here, hehe), you can generate fairly *secure* PWDs online and/or for anyone using (X)Ubuntu:

https://help.ubuntu.com/community/StrongPasswords

P.S.

 

I like to change mine every few months (using the max amount of letters) so changing it again is no biggie!

 

You must be a Window$ admin!! ;-P ;-D

P.P.S.

 

Not worried, I use a disposable password for forums :)

 

Ofc., as everyone should?.. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.