neowin Change your password (Heartbleed zero-day vulnerability) CERT UPDATED!

[Krome 204]

Thanks.. it's fixed... cookie removed and it worked

i refer you to my previous post

 

log out and then back in. a new password cookie needs to be created for the front page

[Raa 1,563]

Considering I forgot my password and had it generated and emailed to me, i'm not worried... :laugh:

[Boo Berry 2,264]

I like to change mine every few months (using the max amount of letters) so changing it again is no biggie!

[+theblazingangel 137]

Isn't that only if you google or some how get duped into clicking on a fake Neowin link. If you bookmark neowin and use that we should be ok.

 

Also you can use this link https://www.ssllabs.com/ to check sites to see if they are vulnerable to the heartbleed vulnerability.

 

Depends on how paranoid you are. We (should) know all too well how extensively certain people are breaching our privacy and security, in particular systems administrators in some respects. A compromised certificate not only helps to add legitimacy to a phishing attack (which could perhaps be avoided with the use of a bookmark, as you suggest), but also to MITM attacks.

 

The vulnerability exposes application memory content, which could expose authentication credentials of user's logging in, or potentially even the site/service's private key (there seems to be some debate about this). Patching the hole prevents further data leakage, however there's still a problem if the private key was indeed compromised.

 

If the private key is indeed compromised:

 - Any secure communications without PFS are also compromised. This applies to all past and future communications, regardless as to whether the patch has been applied.

 - Communications protected with PFS are a little more complicated. They require that session keys are compromised independently from the RSA private key. If there's a possibility of private keys being leaked, there's certainly also a possibility of session keys being leaked, though it occurs to me that having to fish the right session key out of memory for a given communication might be a slightly trickier challenge. If it is possible, communications that have taken place prior to servers being patched may have been compromised. Communications taking place after the servers having been patched are secure, despite the private key having been compromised, but only as long as you are communicating with the correct servers.

 - Whether or not PFS is used, if the RSA private key is compromised, it is possible for an attacker to perform a MITM attack. PFS isn't going to do anything to protect you in this case.

 

Whether or not the certificate needs replacing depends on whether it has been possible for it to have been leaked through vulnerable application software, which as I mentioned seems to perhaps be under dispute. If it is indeed possible that the certificate may have been compromised, it is pointless for us to change our passwords prior to the certificate being replaced.

 

I really want to see this whole mess cleaned up as quickly as possible and I'd much rather see website/service owners assuming the worst case scenario and immediately replacing certificates than delaying things by spending time trying to understand and identify whether the architecture of the webserver software (or whatever) that they have been running over the past few years may perhaps have allowed the private key to be leaked in order to make a decision as to whether or not to go ahead with a replacement.

[Praetor 988]

Depends on how paranoid you are. We (should) know all too well how extensively certain people are breaching our privacy and security, in particular systems administrators in some respects. A compromised certificate not only helps to add legitimacy to a phishing attack (which could perhaps be avoided with the use of a bookmark, as you suggest), but also to MITM attacks.

 

The vulnerability exposes application memory content, which could expose authentication credentials of user's logging in, or potentially even the site/service's private key (there seems to be some debate about this). Patching the hole prevents further data leakage, however there's still a problem if the private key was indeed compromised.

 

If the private key is indeed compromised:

 - Any secure communications without PFS are also compromised. This applies to all past and future communications, regardless as to whether the patch has been applied.

 - Communications protected with PFS are a little more complicated. They require that session keys are compromised independently from the RSA private key. If there's a possibility of private keys being leaked, there's certainly also a possibility of session keys being leaked, though it occurs to me that having to fish the right session key out of memory for a given communication might be a slightly trickier challenge. If it is possible, communications that have taken place prior to servers being patched may have been compromised. Communications taking place after the servers having been patched are secure, despite the private key having been compromised, but only as long as you are communicating with the correct servers.

 - Whether or not PFS is used, if the RSA private key is compromised, it is possible for an attacker to perform a MITM attack. PFS isn't going to do anything to protect you in this case.

 

Whether or not the certificate needs replacing depends on whether it has been possible for it to have been leaked through vulnerable application software, which as I mentioned seems to perhaps be under dispute. If it is indeed possible that the certificate may have been compromised, it is pointless for us to change our passwords prior to the certificate being replaced.

 

I really want to see this whole mess cleaned up as quickly as possible and I'd much rather see website/service owners assuming the worst case scenario and immediately replacing certificates than delaying things by spending time trying to understand and identify whether the architecture of the webserver software (or whatever) that they have been running over the past few years may perhaps have allowed the private key to be leaked in order to make a decision as to whether or not to go ahead with a replacement.

 

yeah, it's the best and the fastest scenario. Yahoo changed their certificate some hours ago, for example.

[Steven P. 14,169]

As pointed out by others, the password changes really only have an effect if the certificate was also updated. This morning a certificate renewal was requested and I can confirm that it has now been updated.

 

So if it's not too much hassle, change those passes again :P

[Praetor 988]

So if it's not too much hassle, change those passes again :p

 

roflol

 

now i'm gonna update the password (for the first time in decade).

 

thanks Neobond!

[Scar 104]

Changed, thanks.

[+theblazingangel 137]

As pointed out by others, the password changes really only have an effect if the certificate was also updated. This morning a certificate renewal was requested and I can confirm that it has now been updated.

 

So if it's not too much hassle, change those passes again

 

I can't seem to get the new cert... :(

 

I've ctrl+f5'd, I've cleared all history, and I've tried switching to chrome. I'd presume it might be some cache between me and the server, but even lastpass and ssllabs are only seeing the old date...

[The Evil Overlord 18,441]

Not worried, I use a disposable password for forums :)

[Thief000 128]

Maybe wise to post this on the front page? Or send a general mail to all the members to let them know?

[LimeMaster 15,601]

Fake! The hammer never dropped!!   

Does it need to be real? :o

[einsteinbqat 183]

This should be front page, though.

[Nostromov 1]

wall-of-text

 

Ugh, you didn't quote the entire post of the user who posted right before you - did you. xD

Btw., for anyone serious about passwords (meaning not anyone who's posted in here, hehe), you can generate fairly *secure* PWDs online and/or for anyone using (X)Ubuntu:

https://help.ubuntu.com/community/StrongPasswords

P.S.

 

I like to change mine every few months (using the max amount of letters) so changing it again is no biggie!

 

You must be a Window$ admin!! ;-P ;-D

P.P.S.

 

Not worried, I use a disposable password for forums :)

 

Ofc., as everyone should?.. :)