Critical crypto bug exposes Yahoo Mail passwords Russian-roulette style
- Thread starter JournalBot
- Start date
I am doubly glad that I switched over to using a password manager. Makes it a lot easier to keep log in information unique.
Upvote
49
(54
/
-5)
Probably TLS-supporting mail servers and OpenVPN clients as well. Atlassian JIRA is having issues as well, and they don't seem to be dynamically linked, either, so we have to wait on them.
Gmail had TLS heartbeat enabled as of an hour ago.
This is quite the nightmare.
Edit: I'm actually seeing conflicting reports, some places report TLS heartbeat support, but exploit scripts don't seem to recognize or be able to use it.
Gmail had TLS heartbeat enabled as of an hour ago.
This is quite the nightmare.
Edit: I'm actually seeing conflicting reports, some places report TLS heartbeat support, but exploit scripts don't seem to recognize or be able to use it.
Upvote
16
(16
/
0)
WTF? How do you even stay away from your mail? Your phone alone checks it every 2-5 minutes. What disable email on every device you have now?
Eva01
Eva01
Upvote
24
(26
/
-2)
I often get ignored or ridiculed at my current organization when I try to push static analysis tools but this bug and the apple bug illustrates how important it is to be able to check for common bugs.
Unit tests are not the answer as they only test what you remember to check.
'If' without braces and range checks are the first thing any static analysis tool should be setup to fail.
Java PMD even has the braces check in its standard rule set.
Unit tests are not the answer as they only test what you remember to check.
'If' without braces and range checks are the first thing any static analysis tool should be setup to fail.
Java PMD even has the braces check in its standard rule set.
Upvote
35
(35
/
0)
Whelp this is going to very ugly very quickly..... I bet a lot of private keys are about to get changed...
Edit: Spelling
Edit: Spelling
Upvote
12
(12
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=26609767#p26609767:3hz1rn7x said:
Any word on vulnerability of hosted password manager services like lastpass? Even two factor auth is no guarantee if the second factor is tied to an email service that is also vulnerable...
Upvote
24
(24
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=26609881#p26609881:2edxxzi6 said:
Gotta keep folks out of your bushes!
Upvote
17
(17
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=26609903#p26609903:2c222sv7 said:
This is their response:
http://www.cnet.com/news/heartbleed-bug ... passwords/
and http://blog.lastpass.com/2014/04/lastpa ... d-bug.html
Upvote
43
(43
/
0)
You could have used Yahoo as an example without making the article title suggest it's an issue particular to them.
Upvote
47
(54
/
-7)
[url=http://meincmagazine.com/civis/viewtopic.php?p=26609943#p26609943:3s81li12 said:
It gives you better chances at Russian roulette than most revolvers...
Upvote
15
(16
/
-1)
Bugs like this don't happen in memory-managed languages like Java. If we insist on writing our security software in C, perhaps it should be written in a variant that enforces the validity of memory accesses at runtime. Performance would suffer negligibly compared to the security benefit. Unfortunately certain operations would have to be disallowed but the resulting inconvenience is a small price to pay.
Upvote
39
(47
/
-8)
Good to see some actual rubber-on-the-road proof of the vulnerability, since in the earlier thread people were quite sensibly asking how often something interesting does churn through the 64kB window.
Is there an up-to-date summary page of the state of major services like Gmail, Yahoo, etc, showing whether they've patched and re-issued keys? I don't want to go updating passwords on each until I know they've shut their peephole.
Is there an up-to-date summary page of the state of major services like Gmail, Yahoo, etc, showing whether they've patched and re-issued keys? I don't want to go updating passwords on each until I know they've shut their peephole.
Upvote
49
(49
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=26610001#p26610001:6hc5b81y said:
I wish I got a big payout every time I fucked up my logic - I'd surely have enough money to slow down and do it properly the first time!
(just kidding - I'd still fuck up. It's a variant of Hofstadter's Law: tomorrow you will see something in your code so bone-headed that you pretend for a second it suffered bitrot overnight - and this will surprise you even though you already adjusted your expectations downwards.
Upvote
24
(25
/
-1)
robert.walter
Ars Praefectus
[url=http://meincmagazine.com/civis/viewtopic.php?p=26610045#p26610045:21l75ip5 said:
This**10!
The guy running the 2 factor implementation summary page could just add an additional column to his matrix!
Upvote
16
(17
/
-1)
Has any credible website posted a definitive "what Internet users need to do" guide for what needs to be done in the aftermath of this vulnerability? Do all passwords need to be changed? Stop logging in to all services for some period of time? Are there tools to test whether the websites we use are still vulnerable?
Upvote
31
(31
/
0)
LastPass' own blog said there is no breech because all of the transmitted data is already in an encrypted state on the client's machine before it ever gets sent.[url=http://meincmagazine.com/civis/viewtopic.php?p=26609903#p26609903:kul4trh8 said:
http://blog.lastpass.com/2014/04/lastpa ... d-bug.html
They also use Perfect Forward Secrecy.
Upvote
10
(10
/
0)
robert.walter
Ars Praefectus
[url=http://meincmagazine.com/civis/viewtopic.php?p=26609955#p26609955:1t12omue said:
As a yahoo subscriber, I'm glad they did. If more pressure causes the purple Y! to move its ass I'm all for it.
Other sites will have to follow suit as soon as the topic slips into the mainstream on the back of Yahoo as whipping boy.
Upvote
23
(23
/
0)
You can check whether a particular website is vulnerable using this link:
http://filippo.io/Heartbleed/
It looks like yahoo.com is still vulnerable
http://filippo.io/Heartbleed/
It looks like yahoo.com is still vulnerable
Upvote
13
(13
/
0)
When I scanned Yahoo a few minutes ago they weren't vulnerable. But I'm starting to wonder if that python script has issues.[url=http://meincmagazine.com/civis/viewtopic.php?p=26610147#p26610147:20ayn2u8 said:
Upvote
4
(4
/
0)
As mentioned in the prior article, the key is getting the old certificate revoked too, or else it can still be used in a MITM attack where the client never sees the new cert.
Upvote
4
(4
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=26609903#p26609903:1bh12vgv said:
http://blog.lastpass.com/2014/04/lastpa ... d-bug.html
Upvote
2
(2
/
0)
equote="Vigilante1024"]
Any word on vulnerability of hosted password manager services like lastpass? Even two factor auth is no guarantee if the second factor is tied to an email service that is also vulnerable...[/quote]
Or the shared secret happens to be memory too ( thinking of Google authenticator).
Edit: given that a Google engineer was one of the people finding the bug, I'm guessing google is patched.
[url=http://meincmagazine.com/civis/viewtopic.php?p=26609767#p26609767:1ew1tlol said:
Any word on vulnerability of hosted password manager services like lastpass? Even two factor auth is no guarantee if the second factor is tied to an email service that is also vulnerable...[/quote]
Or the shared secret happens to be memory too ( thinking of Google authenticator).
Edit: given that a Google engineer was one of the people finding the bug, I'm guessing google is patched.
Upvote
-3
(1
/
-4)
My router firmware (Tomato/Shibby v1.16) is vulnerable. I've shut off remote access to the web console until this gets resolved.
Upvote
0
(6
/
-6)
You know, you should post an article about how Ars Tech was vulnerable with user accounts compromised.
Upvote
46
(49
/
-3)
That's exactly why I created this throwaway account to log in on Ars Technica. This website is extremely vulnerable. Just check the comments under http://meincmagazine.com/security/2014/04 ... 1&start=40 (look at the end of the page).
Upvote
6
(11
/
-5)
[url=http://meincmagazine.com/civis/viewtopic.php?p=26610237#p26610237:25n46tqi said:
You shouldn't have remote access to your router enabled in the first place.
Upvote
47
(48
/
-1)
You don't have to keep logging in under the throwaway account. They updated OpenSSL this morning.[url=http://meincmagazine.com/civis/viewtopic.php?p=26610257#p26610257:16e8npnm said:
Upvote
10
(10
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=26610363#p26610363:v9ddaaql said:
maybe adjust some power management settings? if you have to wake up your machines over the lan to do their jobs, then it seems like they aren't really doing what they're supposed to be doing anyway.
Upvote
10
(10
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=26610257#p26610257:vi47fkdu said:
If you actually read the thread, you'd see that Ars updated their servers this morning within hours of the news breaking. AKA - as soon as the admins became aware, and as soon as the OpenSSL patch was available.
Nice try.
Don't know that I'd call that "extremely vulnerable"
Upvote
18
(21
/
-3)
Was gmail at any point vulnerable? I tried checking about a hour ago and it wasn't at that point.
Upvote
5
(5
/
0)
I think that is time for large companies that make use of this library and can afford it to contribute more with man power and financially to the openssl project .
Meanwhile, just grab your guns and everything will be OK....
Meanwhile, just grab your guns and everything will be OK....
Upvote
8
(8
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=26610385#p26610385:3c1a0oja said:
I saw this. I wonder if they have swapped there SSL Cert yet? I would imagine Ars public key was compromised, everything else appeared to be.
Upvote
4
(4
/
0)
- Status