pekv2 (OP)
|
|
April 12, 2014, 09:43:51 AM |
|
|
|
|
|
rohnearner
|
|
April 12, 2014, 10:42:35 AM |
|
hmm can we get a list of bitcoin related services and websites that might be effected by Heartbleed..! and do we need to change password of almost every internet service we use that uses OPEN SSL
|
|
|
|
Equate
|
|
April 12, 2014, 10:53:53 AM |
|
|
|
|
|
Djao
Full Member
Offline
Activity: 208
Merit: 100
Risk-hedging platform for cryptocurrency investors
|
|
April 12, 2014, 10:59:02 AM |
|
Hmmm what is heartbleed? I don't want to click on links.
http://heartbleed.com/The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
related current article in wired http://www.wired.com/2014/04/nsa-exploited-heartbleed-two-years/
|
|
|
|
Kiki112
|
|
April 12, 2014, 11:01:43 AM |
|
hmm can we get a list of bitcoin related services and websites that might be effected by Heartbleed..! and do we need to change password of almost every internet service we use that uses OPEN SSL Hmmm what is heartbleed? I don't want to click on links. it's a bug in the system that allows users to steal data
|
|
|
|
rohnearner
|
|
April 12, 2014, 11:02:28 AM |
|
hmm can we get a list of bitcoin related services and websites that might be effected by Heartbleed..! and do we need to change password of almost every internet service we use that uses OPEN SSL Hmmm what is heartbleed? I don't want to click on links. Its a Bug that has affected many popular websites and services like : gmail, fb, and some other using OPEN SSL/TLS The bug is there from 2011 and very Highly Vulnerable Click the Mashable link shared above for more info..! its fine.. !
|
|
|
|
Equate
|
|
April 12, 2014, 11:07:25 AM |
|
quite simple explanation.
|
|
|
|
zolace
|
|
April 12, 2014, 11:08:22 AM |
|
Thanks for the warning,i heard something about it on TV,but i didn't pay attention to it.Is time to change all my passwords.
|
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
|
|
|
rohnearner
|
|
April 12, 2014, 11:14:33 AM |
|
Thanks for the warning,i heard something about it on TV,but i didn't pay attention to it.Is time to change all my passwords.
hmm most websites and other services will deny that they were effected but I'll suggest you to change your pass better safe than sorry
|
|
|
|
Equate
|
|
April 12, 2014, 11:16:06 AM |
|
quite simple explanation.
Lol not so simple :p Just go and change all your passwords in the world It is simple
|
|
|
|
pekv2 (OP)
|
|
April 12, 2014, 03:27:06 PM |
|
Open source developers never caught this or created it them selves > sold to NSA. Developers = Profit? DOes anyone have a list of who has patched their websites/servers? Cuz if they are not patch/fixed it's pointless to even change PW's. Some moar info be awesome. Edit: It just eats my brain this went undetected for years
|
|
|
|
cooldgamer
Legendary
Offline
Activity: 1218
Merit: 1003
We are the champions of the night
|
|
April 12, 2014, 03:28:28 PM |
|
Open source developers never caught this or created it them selves > sold to NSA. Developers = Profit?
DOes anyone have a list of who has patched their websites/servers? Cuz if they are not patch/fixed it's pointless to even change PW's.
Some moar info be awesome.
Here's one
|
|
|
|
forever21
|
|
April 12, 2014, 05:36:36 PM |
|
Does this affect mobiles and android also?
|
|
|
|
blacksails
|
|
April 12, 2014, 06:09:06 PM |
|
Does this affect mobiles and android also?
It affects everything that uses OpenSSL. All services on android that uses OpenSSL is/was affected.
|
|
|
|
jparsley
|
|
April 12, 2014, 08:11:53 PM |
|
hmm can we get a list of bitcoin related services and websites that might be effected by Heartbleed..! and do we need to change password of almost every internet service we use that uses OPEN SSL its worse than that, changing ur password wont help if the site does not update their software
|
please unban me.
|
|
|
pekv2 (OP)
|
|
April 12, 2014, 09:14:32 PM |
|
hmm can we get a list of bitcoin related services and websites that might be effected by Heartbleed..! and do we need to change password of almost every internet service we use that uses OPEN SSL its worse than that, changing ur password wont help if the site does not update their software That mashable shows on the right side box, if they fix/patched it.
|
|
|
|
kuroman
|
|
April 12, 2014, 10:06:34 PM |
|
double identification guys
|
|
|
|
apepoof
|
|
April 12, 2014, 10:08:51 PM |
|
Damn, the list helpful, thanks!
|
|
|
|
Kluge
Donator
Legendary
Offline
Activity: 1218
Merit: 1015
|
|
April 12, 2014, 11:02:34 PM |
|
I'd guess the biggest take-away here is that, again, you absolutely cannot be reusing passwords and shouldn't even be reusing email addresses or usernames (though I'll admit to usually doing the latter). Judging their "security competence" is relevant, but not everything, because, as this vulnerability points out pretty clearly, you need to trust many more entities than just the pen-testers and devs at one particular website -- it's simply impossible for your data to really be secure if you've shared it no matter who's storing it. Even storing everything on an online computer with just a password to unlock is risky.
[OT rambling on something I know nothing about] We're at a point, now, where I think there's really a market for semi-offline computers (not a full-blown giant box, but something which can fit in something like a HDD bay of a PC case and connect via SATA and maybe it could also just be a module inside a CPU with dedicated pins to interact with just one dedicated USB port) which seamlessly interacts with your online computers to provide needed credentials but which don't "wake up" to provide that information unless you physically provide some kind of biometric data or other data unique in physical space like a Yubikey. So, say you want to log in to a website. You click the "login" button which immediately tells your PC's software to start trying pull attempts on your credentials. All pull and push requests in queue are displayed in a dialog box, and you could get super-secure by having an additional button on the Yubikey-like to lock in all requests first. You'd then activate your Yubikey-similar which wakes up the semi-offline PC and provides a password to confirm the wake command is legitimate (it's never stored on the online PC and the online PC has no means of decrypting it). The PC then receives and processes all pull requests in queue and then immediately goes back to sleep, so you're logged into whatever you're queued for without needing to type any information in. The same process works for saving credentials, where your PC's software has a queue of data (credentials to store) to push to the semi-offline PC; you press your Yubikey and then that data is allowed to pass from your PC to the semi-offline PC. You encrypt all this so there are two sets of keys (online can decrypt credential retrievals and encrypt credential saves, semi-offline can encrypt credential retrievals and decrypt credential saves). Setup would take a couple minutes... maybe you have a switch on the Yubikey with three positions (offline pair, online pair, use), where you pop the Yubikey into the semi-offline and hit a button (wait for a LED to blink to confirm it's ready), then insert it into the online computer, hit a button to pair - repeat the process backwards for the online pairing, then leave the Yubikey in the online computer in the "use" switch for normal use. You can keep a spare Yubikey or two with the same seeds in safe places which maybe require some type of manufacturer-set password to activate.
In all of this, the only way you can use it is with an original or identical Yubikey-like physically connected to the online PC which is paired with the physically-connected semi-offlince PC. Once in the "use" position, you could also do things like require the Yubikey-like be given a password and use (probably biometric) 2FA. I'd guess you can get the added cost of all this down to around $40 in mass production. You basically just have a small, enclosed rpi, Yubikey, and specialized but fairly simple software. I think the simplicity of pressing buttons exceeds the complexity of learning how/when to press buttons and to do the initial pairing.
I'd guess this is mostly on OS devs and major PC assemblers, because everything else is going to feel kludgey/clunky -- it should be something more "default," I think. As far as hardware, then, the only thing "sticking out" is the Yubikey-like device, which many of us already have one or a few of. -Or something like that. I'm sure someone can think of a smarter solution.
|
|
|
|
kuroman
|
|
April 12, 2014, 11:40:25 PM |
|
If you consider that the NSA know about this bug for over than 2 years and they kept it a secret so they can exploit it, but at the same time they kept people exposed to the danger
|
|
|
|
|