Heartbleed

[Solu9]

So apparently this Heartbleed is a big deal and something we should worry about.

After a quick check using this site:
http://filippo.io/Heartbleed/ (I don't know if it gives a trustworthy answer)

It appears that Hive is in the compromised category.
Google.com and Facebook.com are apparently safe.

I am not capable of giving detailed info about Heartbleed since I don't know how it works.
But here is a heads up to you who cares.

Here is a link with more info:
http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/

 

[Heinvers]

WUT? I need to change some passwords apparently:/
Edit: Excuse my lack of knowledge:/

 

[Zombie]

I liked the 300 free gold as well.

 

[Dr Super Good]

Only people who were using openSSL were affected. It also only affects server owners in the form of a personal information leak so there is no updating needed for clients (unless they host a private SSL connection for some reason in which case they need to update).

Blizzard was also not affected because they use their own security systems (not openSSL).

The problem comes about with the heartbeat message that is part of SSL. By using an invalid offest field (larger than the buffer) you gain access to nearby addresses in the process memory space (64 KB of memory to be exact). This is not a direct data leak (they cannot query specific personal information) but it does allow them to snoop at what traffic is going through the SSL process since it mostly uses memory around that 64 KB area to handle all connections. This lets hackers get recently transmitted personal information and store it for use later in a crime.

Basically a bounds check fault. Someone forgot to check if value < size. Yes that is how dumb most of these security faults are.

 

[Ralle]

Eh, that does not make sense. We are not even using HTTPS.

EDIT: turns out we had HTTPS enabled but it was never being used, still, it could be misused I suppose.

After upgrading and fixing things broke, so the server was down for like 30 minutes.

 

[Zeatherann]

So, was it an issue with this site? Not like it matters because nothing here is sensitive.

 

[Ralle]

We had HTTPS but it was never used, so no useful data was revealed to people. I just disabled HTTPS.

 

[Zeatherann]

Oh hehe.