Heartbleed

Solu9 · Apr 11, 2014

So apparently this Heartbleed is a big deal and something we should worry about.

After a quick check using this site:
http://filippo.io/Heartbleed/ (I don't know if it gives a trustworthy answer)

It appears that Hive is in the compromised category.
Google.com and Facebook.com are apparently safe.

I am not capable of giving detailed info about Heartbleed since I don't know how it works.
But here is a heads up to you who cares.

Here is a link with more info:
http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/

Heinvers · Apr 11, 2014

WUT? I need to change some passwords apparently:/
Edit: Excuse my lack of knowledge:/

Zombie · Apr 11, 2014

I liked the 300 free gold as well.

Dr Super Good · Apr 11, 2014

Only people who were using openSSL were affected. It also only affects server owners in the form of a personal information leak so there is no updating needed for clients (unless they host a private SSL connection for some reason in which case they need to update).

Blizzard was also not affected because they use their own security systems (not openSSL).

The problem comes about with the heartbeat message that is part of SSL. By using an invalid offest field (larger than the buffer) you gain access to nearby addresses in the process memory space (64 KB of memory to be exact). This is not a direct data leak (they cannot query specific personal information) but it does allow them to snoop at what traffic is going through the SSL process since it mostly uses memory around that 64 KB area to handle all connections. This lets hackers get recently transmitted personal information and store it for use later in a crime.

Basically a bounds check fault. Someone forgot to check if value < size. Yes that is how dumb most of these security faults are.

Ralle · Apr 11, 2014

Eh, that does not make sense. We are not even using HTTPS.

EDIT: turns out we had HTTPS enabled but it was never being used, still, it could be misused I suppose.

After upgrading and fixing things broke, so the server was down for like 30 minutes.

Zeatherann · Apr 15, 2014

So, was it an issue with this site? Not like it matters because nothing here is sensitive.

Ralle · Apr 15, 2014

We had HTTPS but it was never used, so no useful data was revealed to people. I just disabled HTTPS.

Zeatherann · Apr 15, 2014

Oh hehe.

Heartbleed

Solu9

Solu9

Resources

Heinvers

Heinvers

Resources

Zombie

Zombie

Resources

Dr Super Good

Dr Super Good

Resources

Ralle

Ralle

Resources

Zeatherann

Zeatherann

Resources

Ralle

Ralle

Resources

Zeatherann

Zeatherann

Resources

Similar threads