Heartbleed

zippypinhead · Apr 10, 2014

Heads up on a new server vulnerability that affects many common services. It's called Heartbleed. Bottom line is that it's probably time to update your passwords. The recommendation is to wait until there has been a verified patch applied to a given site. CNET has compiled a list of common services, and whether they've been patched. I've spent the afternoon updating my passwords, which needed it anyway.

My question is whether or not MFC or any other cam sites have this vulnerability, and whether or not they have been or will be patched.

Kradek · Apr 10, 2014

zippypinhead said:
My question is whether or not MFC or any other cam sites have this vulnerability, and whether or not they have been or will be patched.

Test here.

Sevrin · Apr 10, 2014

All good, www.ambercutie.com seems fixed or unaffected!

:thumbleft:

xCumZillax · Apr 10, 2014

I was having trouble getting my profile changes to save. Really annoying. Anyone else have this problem?

Shaun__ · Apr 11, 2014

Link to the original on xkcd.com.

eclipse76 · Apr 11, 2014

I don't think MFC even use HTTPS. At least for members, they do not.

I've just checked and they send the password in clear over the wire, they don't even try to hash it before, what a joke!
I hope nobody here uses that password for anything else.

Don't worry about Heartbleed on MFC, it's unprotected by defaut.

Sevrin · Apr 11, 2014

eclipse76 said:
I don't think MFC even use HTTPS. At least for members, they do not.

I've just checked and they send the password in clear over the wire, they don't even try to hash it before, what a joke!
I hope nobody here uses that password for anything else.

Don't worry about Heartbleed on MFC, it's unprotected by defaut.

Well, the payment processors are what you really want to be sure about, since MFC doesn't handle money itself. And yeah, not using the same password on multiple sites is base-level security.

zippypinhead · Apr 11, 2014

Shaun__ said:
Link to the original on xkcd.com.

Speaking of XKCD, here's a strip about password strength.

Sevrin · Apr 11, 2014

Well, now there is a report on Bloomberg saying that the NSA has been aware of and exploiting this vulnerability for a couple of years. And here we are getting all worried.

Shaun__ · Apr 11, 2014

zippypinhead said:
Shaun__ said:

Link to the original on xkcd.com.

Speaking of XKCD, here's a strip about password strength.

Click to expand...

I bet correcthorsebatterystaple is in dictionary attack files now.

Jupiter551 · Apr 11, 2014

list of some common websites here and whether or not they're affected. Notables for camgirls include dropbox, tumblr, pinterest and instagram in addition to google, yahoo services etc, as well as some banks.
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

JerryBoBerry · Apr 11, 2014

Jupiter551 said:
list of some common websites here and whether or not they're affected. Notables for camgirls include dropbox, tumblr, pinterest and instagram in addition to google, yahoo services etc, as well as some banks.
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

i like that none of the banks were ever affected.

CallMeWilliam · Apr 11, 2014

eclipse76 said:
I've just checked and they send the password in clear over the wire, they don't even try to hash it before, what a joke!

Personally I believe that MFC's passwords are not even stored encrypted due to the fact they are not case sensitive.

Your confusing hashing and encryption. Encryption is reversible given you have the key which would allow them to send you your password in plain text while hashing is one way and cannot be un-hashed. This also means that any site that uses encryption can see your password.

JerryBoBerry said:
i like that none of the banks were ever affected.

Probably because they are running software linked against older version of OpenSSL, Banks are notorious for running outdated software, same as governments.

Jesse0328 · Apr 11, 2014

CallMeWilliam said:
JerryBoBerry said:

i like that none of the banks were ever affected.

Click to expand...

Probably because they are running software linked against older version of OpenSSL, Banks are notorious for running outdated software, same as governments.

My credit union sent a reassuring email this week that they weren't affected by the OpenSSL vulnerability. However, if you test the online banking portal using SSL Labs' server testing utility, they use a bunch of outdated protocols and get an immediate failing grade for using SSL 2, which is obsolete.

Search

Search

Heartbleed

zippypinhead

Kradek

Sevrin

xCumZillax

Shaun__

eclipse76

Sevrin

zippypinhead

Attachments

Sevrin

Shaun__

Jupiter551

JerryBoBerry

CallMeWilliam

Jesse0328

Similar threads