Change your password (Heartbleed zero-day vulnerability) CERT UPDATED!


Recommended Posts

Krome

Thanks.. it's fixed... cookie removed and it worked

i refer you to my previous post

 

log out and then back in. a new password cookie needs to be created for the front page

Link to post
Share on other sites
Raa

Considering I forgot my password and had it generated and emailed to me, i'm not worried... :laugh:

Link to post
Share on other sites
Boo Berry

I like to change mine every few months (using the max amount of letters) so changing it again is no biggie!

Link to post
Share on other sites
+theblazingangel

Isn't that only if you google or some how get duped into clicking on a fake Neowin link. If you bookmark neowin and use that we should be ok.

 

Also you can use this link https://www.ssllabs.com/ to check sites to see if they are vulnerable to the heartbleed vulnerability.

 

Depends on how paranoid you are. We (should) know all too well how extensively certain people are breaching our privacy and security, in particular systems administrators in some respects. A compromised certificate not only helps to add legitimacy to a phishing attack (which could perhaps be avoided with the use of a bookmark, as you suggest), but also to MITM attacks.

 

The vulnerability exposes application memory content, which could expose authentication credentials of user's logging in, or potentially even the site/service's private key (there seems to be some debate about this). Patching the hole prevents further data leakage, however there's still a problem if the private key was indeed compromised.

 

If the private key is indeed compromised:

 - Any secure communications without PFS are also compromised. This applies to all past and future communications, regardless as to whether the patch has been applied.

 - Communications protected with PFS are a little more complicated. They require that session keys are compromised independently from the RSA private key. If there's a possibility of private keys being leaked, there's certainly also a possibility of session keys being leaked, though it occurs to me that having to fish the right session key out of memory for a given communication might be a slightly trickier challenge. If it is possible, communications that have taken place prior to servers being patched may have been compromised. Communications taking place after the servers having been patched are secure, despite the private key having been compromised, but only as long as you are communicating with the correct servers.

 - Whether or not PFS is used, if the RSA private key is compromised, it is possible for an attacker to perform a MITM attack. PFS isn't going to do anything to protect you in this case.

 

Whether or not the certificate needs replacing depends on whether it has been possible for it to have been leaked through vulnerable application software, which as I mentioned seems to perhaps be under dispute. If it is indeed possible that the certificate may have been compromised, it is pointless for us to change our passwords prior to the certificate being replaced.

 

I really want to see this whole mess cleaned up as quickly as possible and I'd much rather see website/service owners assuming the worst case scenario and immediately replacing certificates than delaying things by spending time trying to understand and identify whether the architecture of the webserver software (or whatever) that they have been running over the past few years may perhaps have allowed the private key to be leaked in order to make a decision as to whether or not to go ahead with a replacement.

Link to post
Share on other sites
Praetor

Depends on how paranoid you are. We (should) know all too well how extensively certain people are breaching our privacy and security, in particular systems administrators in some respects. A compromised certificate not only helps to add legitimacy to a phishing attack (which could perhaps be avoided with the use of a bookmark, as you suggest), but also to MITM attacks.

 

The vulnerability exposes application memory content, which could expose authentication credentials of user's logging in, or potentially even the site/service's private key (there seems to be some debate about this). Patching the hole prevents further data leakage, however there's still a problem if the private key was indeed compromised.

 

If the private key is indeed compromised:

 - Any secure communications without PFS are also compromised. This applies to all past and future communications, regardless as to whether the patch has been applied.

 - Communications protected with PFS are a little more complicated. They require that session keys are compromised independently from the RSA private key. If there's a possibility of private keys being leaked, there's certainly also a possibility of session keys being leaked, though it occurs to me that having to fish the right session key out of memory for a given communication might be a slightly trickier challenge. If it is possible, communications that have taken place prior to servers being patched may have been compromised. Communications taking place after the servers having been patched are secure, despite the private key having been compromised, but only as long as you are communicating with the correct servers.

 - Whether or not PFS is used, if the RSA private key is compromised, it is possible for an attacker to perform a MITM attack. PFS isn't going to do anything to protect you in this case.

 

Whether or not the certificate needs replacing depends on whether it has been possible for it to have been leaked through vulnerable application software, which as I mentioned seems to perhaps be under dispute. If it is indeed possible that the certificate may have been compromised, it is pointless for us to change our passwords prior to the certificate being replaced.

 

I really want to see this whole mess cleaned up as quickly as possible and I'd much rather see website/service owners assuming the worst case scenario and immediately replacing certificates than delaying things by spending time trying to understand and identify whether the architecture of the webserver software (or whatever) that they have been running over the past few years may perhaps have allowed the private key to be leaked in order to make a decision as to whether or not to go ahead with a replacement.

 

yeah, it's the best and the fastest scenario. Yahoo changed their certificate some hours ago, for example.

Link to post
Share on other sites
Steven P.

As pointed out by others, the password changes really only have an effect if the certificate was also updated. This morning a certificate renewal was requested and I can confirm that it has now been updated.

 

So if it's not too much hassle, change those passes again :P

  • Like 2
Link to post
Share on other sites
Praetor

So if it's not too much hassle, change those passes again :p

 

roflol

 

now i'm gonna update the password (for the first time in decade).

 

thanks Neobond!

  • Like 1
Link to post
Share on other sites
Scar

Changed, thanks.

Link to post
Share on other sites
+theblazingangel

As pointed out by others, the password changes really only have an effect if the certificate was also updated. This morning a certificate renewal was requested and I can confirm that it has now been updated.

 

So if it's not too much hassle, change those passes again tongue.png

 

I can't seem to get the new cert... :(

 

I've ctrl+f5'd, I've cleared all history, and I've tried switching to chrome. I'd presume it might be some cache between me and the server, but even lastpass and ssllabs are only seeing the old date...

Link to post
Share on other sites
The Evil Overlord

Not worried, I use a disposable password for forums :)

Link to post
Share on other sites
  • 2 weeks later...
Thief000

Maybe wise to post this on the front page? Or send a general mail to all the members to let them know?

Link to post
Share on other sites
LimeMaster

Fake! The hammer never dropped!!   

Does it need to be real? :o

Link to post
Share on other sites
einsteinbqat

This should be front page, though.

Link to post
Share on other sites
Nostromov

wall-of-text

 

Ugh, you didn't quote the entire post of the user who posted right before you - did you. xD

Btw., for anyone serious about passwords (meaning not anyone who's posted in here, hehe), you can generate fairly *secure* PWDs online and/or for anyone using (X)Ubuntu:

https://help.ubuntu.com/community/StrongPasswords

P.S.

 

I like to change mine every few months (using the max amount of letters) so changing it again is no biggie!

 

You must be a Window$ admin!! ;-P ;-D

P.P.S.

 

Not worried, I use a disposable password for forums :)

 

Ofc., as everyone should?.. :)

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By indospot
      Neowin Podcast Episode 18: Let's talk about videogames
      by João Carrasqueira



      Welcome to episode 18 of the Neowin Podcast, the only bi-weekly podcast that has absolutely never missed a beat since its creation. After returning two weeks ago to talk about fitness tech, episode 18 is focused on one of our favorite hobbies - videogames.

      On this episode, Rich and João talk about their memories with videogames and their first consoles, as well as some of their favorite experiences with the medium. As you may know, we've been running a poll to decide which is our community's favorite console of all time, and the first round is almost over, so we take a look at the results so far and which ones are our favorites. We also talk about Nintendo's legacy and how poorly it's being leveraged on the Switch. Oh, and we finally get to know the logic behind João's very weird username.

      If you're interested in any of the products mentioned in this show, you can (try to) buy them here:

      Nintendo Switch ($299.99) Nintendo Switch Online membership (1-year, $19.99) Xbox Series X ($499.99) You can listen to the episode below, and the Neowin Podcast is available on iTunes - and apps that rely on its library - as well as Google Podcasts, Spotify, and now, Amazon Music. And if you want to add it to your own podcast library, you can use this RSS feed:



      Neowin.net · Episode 18 - Let's talk about videogames! Do you have a topic you'd like us to discuss on the podcast? Let us know in the comments!

      As an Amazon Associate, Neowin may earn commission from qualifying purchases.

    • By indospot
      The Neowin Podcast returns: Episode 17 - Fitness tech for a pandemic
      by João Carrasqueira



      Welcome back to the Neowin Podcast! It's definitely been two weeks since episode 16 in October of 2019, and we're keeping up with our schedule with episode 17 this week... Yes, we've been on a bit of a hiatus, but the Neowin Podcast is back, and we're aiming for a slightly different format this time.

      Going forward, we'll be trying to focus more on specific interesting topics to talk about, rather than just talk about the latest news. Of course, when big news comes out and we have thoughts on them, you can expect us to make an episode about it. We'll be aiming to make one episode every two weeks.

      On this episode, Rich Woods and João Carrasqueira talk about the technology we've been using to help us stay in shape, even as we navigate the seemingly unwavering COVID-19 pandemic. That includes the recently-launched Apple Fitness+ service, along with some thoughts on the new Time to Walk feature, and we also talk about Ring Fit Adventure, Nintendo's fitness-based adventure game that we wrote about a few months ago.

      If you're interested in the products mentioned in this show, you can buy them here:

      Apple Watch SE (from $269) Huawei Watch Fit ($129) Ring Fit Adventure ($79.99) You can listen to the episode below, and the Neowin Podcast is available on iTunes - and apps that rely on its library - as well as Google Podcasts and Spotify. And if you want to add it to your own podcast library, you can use this RSS feed:



      Steven Parker · Episode 17 - Fitness tech Do you have a topic you'd like us to discuss on the podcast? Let us know in the comments!

      As an Amazon Associate, Neowin may earn commission from qualifying purchases.

    • By Steven P.
      We're looking for tech enthusiasts to write news on Neowin for cash
      by Steven Parker

      Trying to keep our readers informed and updated on the constant stream of announcements, leaks, rumors, and insights that pour in from around the world is a non-stop job, including at weekends! With millions of readers worldwide, we know just how important it is to help them stay up to speed with the relentless pace of change and developments in technology.

      That’s why we’re continuing to expand our team of news reporters. We’re looking for eager, enthusiastic people to join us part-time (or full time, see below in the Apply section), preferably from native English speaking countries such as the UK, the United States, Canada, and Australia, but we'll consider those in other parts of the world too.

      We are specifically looking to bolster our UK/EU/Asia Pacific hours of news coverage.



      Our requirements
      We would love to hear from applicants with experience in covering technology news, but previous experience isn’t strictly necessary to apply. Enthusiasm, a positive attitude, and a desire to constantly improve and grow professionally – applicants with these traits are just as important to us as those with years of reporting experience.

      Many of our reporters over the years have had no previous experience, but that hasn’t stopped them from doing a great job; some very well-known faces in the tech journalism community made their names at Neowin with little or no experience at first. We offered them a strong foundation upon which to build their careers.

      Of course, even without reporting experience, we demand that applicants have plenty of knowledge about technology. Our coverage includes Microsoft, Apple, Google, Linux, gaming, software, devices, accessories, and so much more, along with analysis and insights into what’s happening in the tech industry.

      We require that applicants be proficient in English, and although it is a preference, it doesn’t mean English has to be your first language. We will accept applications from anyone aged 18 or over, from anywhere in the world that accepts PayPal and Payoneer as a method of receiving payment, and we warmly invite people from all backgrounds to apply.

      Neowin has a zero-discrimination hiring policy; whatever your ethnicity, gender identity, or sexuality, and whether you prefer Linux over Windows, or Xbox over PlayStation, what matters most to us is your passion for technology, your drive to do the job and constantly improve, and your ability to impartially report and discuss what’s happening in the tech world.

      Be active: We require no less than four articles a week, but the more, the better. We pay our writers per original article based on unique hits. This probably won't replace your full-time job, but it is a great way to earn some extra cash while gaining valuable experience in reporting with one of the most established brands in tech news. Be original: We expect all articles to be originally written, we have strict guidelines for approvals. We understand no one is perfect, but we try to maintain high standards in order for a post to be approved on the main page. Be awesome: You need to be able to bite your tongue when negative criticism occurs. It happens from time to time, but remember you will represent Neowin on and off the site. Be there: Although not mandatory, living near a convention/tech hotspot such as London, Las Vegas, Seattle, New York, or Tokyo is a plus. Although we are looking to bolster timely coverage on all things Microsoft, we don't assign or require people to write only on specific areas or even at fixed times of the day unlike some other news sites, so our reporters can write on a variety of different topics whenever they want!

      What you'll get from us
      All articles that are published on Neowin start at $5, and that payment rises with the number of unique hits it gathers. Just one article can earn $100 if it reaches a threshold of unique hits, for this it would have to go viral, and articles do achieve this at Neowin often. The fact of the matter is, our payments are based on merit and the hits the articles achieve, so you are rewarded when you do well, but you'll get less for poor performing items.

      Apply!
      You can find out more about our requirements, and how to apply, on this page.

      We look forward to hearing from you, and if you’ve got what it takes, we hope to be able to welcome you to the Neowin team very soon 😁👍

    • By Fezmid
      Folding at Home now the fastest "computer" in the world, but also join our team
      by Christopher White



      It's obvious that there's nothing good about the coronavirus itself. However one positive has been the outpouring of support for the Folding@Home project that's looking for a cure to diseases such as Alzheimer's, cancer, and COVID-19. Last week we asked our readers to join the project (and the Neowin team, 55186), and you responded. We now have over 200 new folders on the team and in the last week, have jumped up 90 spots to rank 661 overall.

      Neowin readers aren't the only ones responding to this crisis. As noted on Tom's Hardware, the F@H project has more compute power than not just the fastest supercomputer in the world, but the top seven supercomputers in the world, combined. Since the coronavirus outbreak, the project has seen a 1,200% increase in the number of folders, with over 400,000 people joining. The total number of CPU/GPU cores being used by the project is 27,433,824.

      A work unit crunching away at the Coronavirus problem We'd love if you joined the Neowin team. Simply install the client, type in a username, enter team number 55186, and you'll be folding with us in no time! If you're not seeing many work units assigned to you right now, keep in mind that due to the outpouring of support, the scientists need to provide more data for our computers to crunch so it's possible your PC will idle for a bit until they get this worked out. Just leave the application running, and when work comes in, you'll be folding in no time!

      We also have a dedicated forum thread discussing the project right here.

    • By Fezmid
      Join the Folding at Home Neowin team to fight the novel Coronavirus
      by Christopher White

      The Folding at Home project has been around for two decades and is still going strong. For the uninitiated, the project conducts disease research by carving out units of work that can be shipped to an individual's computer so that those machines can conduct protein folding simulations. When your computer is done crunching the numbers, it sends the results back to the Folding at Home servers and requests another unit of work.

      The group has recently started assisting scientists in finding a cure for the novel Coronavirus, COVID-19. What this means is that your spare CPU cycles can be donated to the project to help find a cure to the pandemic that's impacting everyone's lives around the world. The project is aiming to recruit a million volunteers.

      Helping out is easy: Simply download the program from their website, type in what name you want to use and optionally what team you want to join, and let it go. You can configure how much machine power you want to donate, and you can even click on the Configure button to setup how many CPU cores you want to provide. As a warning, if you let it consume your entire machine, it will definitely peg the CPU at 100% and generate quite a bit of heat. My workstation is powered by the Ryzen 3900x, and after initially giving the tool access to all 24 cores, I noticed the CPU temperature was extremely hot, so I limited it to only 12 of the cores, which is still plenty. The tool can also use your PC's GPU for even more processing, and that's currently the method used for the COVID-19 tests. You can search any of the projects to find out who is using the research and what it's for on the Folding at Home website.

      Neowin has had our own team since 2007, so when doing the install, it'd be great if you used our team number: 55186. The front-end servers are getting hammered recently with thousands of people rushing to sign up and help fight the disease, so you'll often receive a "Bad Gateway" error when checking, but when things are working, you can check the status directly on the Folding at Home page by typing your name or team number into the search box.