Change your password (Heartbleed zero-day vulnerability) CERT UPDATED!

By Steven P.
in Site Announcements

 Share

Recommended Posts

Grand Master

Krome

Posted
Posted

Thanks.. it's fixed... cookie removed and it worked

i refer you to my previous post

 

log out and then back in. a new password cookie needs to be created for the front page

Link to comment
Share on other sites
Grand Master

+theblazingangel MVC

Posted
  • MVC
Posted

Isn't that only if you google or some how get duped into clicking on a fake Neowin link. If you bookmark neowin and use that we should be ok.

 

Also you can use this link https://www.ssllabs.com/ to check sites to see if they are vulnerable to the heartbleed vulnerability.

 

Depends on how paranoid you are. We (should) know all too well how extensively certain people are breaching our privacy and security, in particular systems administrators in some respects. A compromised certificate not only helps to add legitimacy to a phishing attack (which could perhaps be avoided with the use of a bookmark, as you suggest), but also to MITM attacks.

 

The vulnerability exposes application memory content, which could expose authentication credentials of user's logging in, or potentially even the site/service's private key (there seems to be some debate about this). Patching the hole prevents further data leakage, however there's still a problem if the private key was indeed compromised.

 

If the private key is indeed compromised:

 - Any secure communications without PFS are also compromised. This applies to all past and future communications, regardless as to whether the patch has been applied.

 - Communications protected with PFS are a little more complicated. They require that session keys are compromised independently from the RSA private key. If there's a possibility of private keys being leaked, there's certainly also a possibility of session keys being leaked, though it occurs to me that having to fish the right session key out of memory for a given communication might be a slightly trickier challenge. If it is possible, communications that have taken place prior to servers being patched may have been compromised. Communications taking place after the servers having been patched are secure, despite the private key having been compromised, but only as long as you are communicating with the correct servers.

 - Whether or not PFS is used, if the RSA private key is compromised, it is possible for an attacker to perform a MITM attack. PFS isn't going to do anything to protect you in this case.

 

Whether or not the certificate needs replacing depends on whether it has been possible for it to have been leaked through vulnerable application software, which as I mentioned seems to perhaps be under dispute. If it is indeed possible that the certificate may have been compromised, it is pointless for us to change our passwords prior to the certificate being replaced.

 

I really want to see this whole mess cleaned up as quickly as possible and I'd much rather see website/service owners assuming the worst case scenario and immediately replacing certificates than delaying things by spending time trying to understand and identify whether the architecture of the webserver software (or whatever) that they have been running over the past few years may perhaps have allowed the private key to be leaked in order to make a decision as to whether or not to go ahead with a replacement.

Link to comment
Share on other sites
Grand Master

Praetor

Posted
Posted

Depends on how paranoid you are. We (should) know all too well how extensively certain people are breaching our privacy and security, in particular systems administrators in some respects. A compromised certificate not only helps to add legitimacy to a phishing attack (which could perhaps be avoided with the use of a bookmark, as you suggest), but also to MITM attacks.

 

The vulnerability exposes application memory content, which could expose authentication credentials of user's logging in, or potentially even the site/service's private key (there seems to be some debate about this). Patching the hole prevents further data leakage, however there's still a problem if the private key was indeed compromised.

 

If the private key is indeed compromised:

 - Any secure communications without PFS are also compromised. This applies to all past and future communications, regardless as to whether the patch has been applied.

 - Communications protected with PFS are a little more complicated. They require that session keys are compromised independently from the RSA private key. If there's a possibility of private keys being leaked, there's certainly also a possibility of session keys being leaked, though it occurs to me that having to fish the right session key out of memory for a given communication might be a slightly trickier challenge. If it is possible, communications that have taken place prior to servers being patched may have been compromised. Communications taking place after the servers having been patched are secure, despite the private key having been compromised, but only as long as you are communicating with the correct servers.

 - Whether or not PFS is used, if the RSA private key is compromised, it is possible for an attacker to perform a MITM attack. PFS isn't going to do anything to protect you in this case.

 

Whether or not the certificate needs replacing depends on whether it has been possible for it to have been leaked through vulnerable application software, which as I mentioned seems to perhaps be under dispute. If it is indeed possible that the certificate may have been compromised, it is pointless for us to change our passwords prior to the certificate being replaced.

 

I really want to see this whole mess cleaned up as quickly as possible and I'd much rather see website/service owners assuming the worst case scenario and immediately replacing certificates than delaying things by spending time trying to understand and identify whether the architecture of the webserver software (or whatever) that they have been running over the past few years may perhaps have allowed the private key to be leaked in order to make a decision as to whether or not to go ahead with a replacement.

 

yeah, it's the best and the fastest scenario. Yahoo changed their certificate some hours ago, for example.

Link to comment
Share on other sites
Grand Master

Steven P. Administrators

Posted
  • Author
  • Administrators
Posted

As pointed out by others, the password changes really only have an effect if the certificate was also updated. This morning a certificate renewal was requested and I can confirm that it has now been updated.

 

So if it's not too much hassle, change those passes again :P

  • +theblazingangel and +Zlip792
  • Like 2
Link to comment
Share on other sites
Grand Master

Praetor

Posted
Posted

So if it's not too much hassle, change those passes again :p

 

roflol

 

now i'm gonna update the password (for the first time in decade).

 

thanks Neobond!

Link to comment
Share on other sites
Grand Master

+theblazingangel MVC

Posted
  • MVC
Posted

As pointed out by others, the password changes really only have an effect if the certificate was also updated. This morning a certificate renewal was requested and I can confirm that it has now been updated.

 

So if it's not too much hassle, change those passes again tongue.png

 

I can't seem to get the new cert... :(

 

I've ctrl+f5'd, I've cleared all history, and I've tried switching to chrome. I'd presume it might be some cache between me and the server, but even lastpass and ssllabs are only seeing the old date...

Link to comment
Share on other sites
  • 2 weeks later...
Enthusiast

Nostromov

Posted
Posted

wall-of-text

 

Ugh, you didn't quote the entire post of the user who posted right before you - did you. xD

Btw., for anyone serious about passwords (meaning not anyone who's posted in here, hehe), you can generate fairly *secure* PWDs online and/or for anyone using (X)Ubuntu:

https://help.ubuntu.com/community/StrongPasswords

P.S.

 

I like to change mine every few months (using the max amount of letters) so changing it again is no biggie!

 

You must be a Window$ admin!! ;-P ;-D

P.P.S.

 

Not worried, I use a disposable password for forums :)

 

Ofc., as everyone should?.. :)

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing