• OMG!!! GDPR!! GDPR!!! GDP f***ing R!!!!!!!!!!!111111one!

    Bla, Bla, Bla, updated privacy policy, because "we care about you! "

    ಠ_ಠ

    If you even give a shit, our privacy policy is here.

    Pro-tip: If you have a reasonable, and transparent policy from Day 1, then you don't have to run around like an asshole!

URGENT! Critical SSL Vulnerability

zagman76

Wackbagger, Geek, Administrator
Wackbag Staff
Nov 18, 2004
12,560
578
628
Long Island, NY
#1
Ok - this is my 4th time today writing a post like this, and unfortunately you are getting the super-abridged version.

Please read these articles which explain what the vulnerability are and just how bad this bug is:
http://arstechnica.com/security/201...opens-two-thirds-of-the-web-to-eavesdropping/

http://arstechnica.com/security/201...-yahoo-mail-passwords-russian-roulette-style/

and for good measure:
http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

This is not a "bla bla, bla, it'll be OK" type of problem. This is a real problem with a proven exploit. In fact, the best thing to do would literally be to stay off of the internet for a few days until it settles a little bit.

While we all have a good time here and joke around and such, I take your security while visiting the site very seriously.

As soon as I saw the vulnerability, I patched our server and as of right now, I have re-issued our SSL certificate with the patched version of OpenSSL (the cryptographic software which handles SSL Certificates), so we are no longer vulnerable.

If you are interested in such things, and look at the details of our SSL certificate, you should no longer trust any wackbag.com certificate that claims to be valid before:
Wednesday, April 9, 2014 at 7:22:04 PM Eastern Daylight Time
The valid certificate has a serial number of:
1234966390449442
and SHA1 & MD5 Hashes of:
SHA1 - A3 44 A4 43 C5 66 2A 30 AD 92 58 15 F4 70 4B 0B 32 44 5C 3E
MD5 - ED 11 97 81 37 AE 77 5A A2 9F E7 06 07 FF 24 81
Right now, the best piece of advice (aside from avoiding the internet) would be to change your password on any site that you consider to be important (banking, credit cards, email, to name a few). As always, it is strongly recommended that you do not re-use the same password across multiple sites, as a password compromise in one site can then be exploited to gain access to all the others.

One tool that does a superb job at managing and maintaining multiple, secure passwords is a web-browser extension called LastPass. This works with all web browsers, is free, and can remember all of the various passwords you may have for different websites. It will even suggest and generate stronger passwords if it detects that your current passwords are too weak. It does this without actually seeing your passwords.

For an additional layer of security, many sites offer two-factor authentication which, when enrolled, would send you a SMS every time you attempt to log into the site.

:edit: correcting language in regards to which cert is valid and which is not.
 
Last edited:

Ballbuster1

In The Danger Zone...
Wackbag Staff
Aug 26, 2002
102,195
16,392
839
Your house, behind the couch
#3
I was reading a few articles on this earlier.

Guess I need to get a few sheets of paper out and start
changing passwords. Thanks zag.
 

Creasy Bear

gorgeousness and gorgeousity made flesh
Donator
Mar 10, 2006
47,918
35,744
628
In a porn tree
#4
Aaaaaaahh! I got the cyberAIDS in my pee hole!!! Get it off! Get it off me!

Save me, zagman! Get the cyberAIDS out of my pee hole!
 
May 30, 2013
45,473
41,387
268
#5
Bobo's cyber penetration goes much deeper than his sexual penetration ever could. I just hope we can recover from this.
 

whiskeyguy

PR representative for Drunk Whiskeyguy.
Jan 12, 2010
36,214
21,810
398
Northern California
#6
Would it make sense to change our passwords now, or wait a few days until companies can patch their systems?

Two of my old Yahoo email accounts were hacked in the last month... I think it's time to delete them and just consolidate all my email to gmail.
 

zagman76

Wackbagger, Geek, Administrator
Wackbag Staff
Nov 18, 2004
12,560
578
628
Long Island, NY
#7
Would it make sense to change our passwords now, or wait a few days until companies can patch their systems?

Two of my old Yahoo email accounts were hacked in the last month... I think it's time to delete them and just consolidate all my email to gmail.
That's the tricky part... you want to be secure, yet if you change your password today and the website was originally vulnerable but hasn't fixed their shit, then an attacker can use any potentially captured data, decrypt the data and use that against you.

These types of situations have a lot of moving parts, so the "right way" may be different for different people and different web-sites. In addition, it's not like 'Bank of America' is going to come out and say "Oh, by the way, we're vulnerable to this super-critical web attack! Please don't attack us until we update!"

I would say:
Enable MFA (multi-factor authentication) where available
Change your password immediately
Wait a week or so (or until the website announces that they have been fixed)... then change your password again.
 

Creasy Bear

gorgeousness and gorgeousity made flesh
Donator
Mar 10, 2006
47,918
35,744
628
In a porn tree
#8
I think we all knew that one day Jon The Mop would be back to take his revenge.
 

THE FEZ MAN

as a matter of fact i dont have 5$
Aug 23, 2002
41,058
8,822
768
#9
im sure this will fuck me in some way.
 

whiskeyguy

PR representative for Drunk Whiskeyguy.
Jan 12, 2010
36,214
21,810
398
Northern California
#10
That's the tricky part... you want to be secure, yet if you change your password today and the website was originally vulnerable but hasn't fixed their shit, then an attacker can use any potentially captured data, decrypt the data and use that against you.

These types of situations have a lot of moving parts, so the "right way" may be different for different people and different web-sites. In addition, it's not like 'Bank of America' is going to come out and say "Oh, by the way, we're vulnerable to this super-critical web attack! Please don't attack us until we update!"

I would say:
Enable MFA (multi-factor authentication) where available
Change your password immediately
Wait a week or so (or until the website announces that they have been fixed)... then change your password again.
Alright I'll change the passwords to the critical accounts... although I have hundreds of accounts and it takes me hours to reset the passwords... and I just did it two months ago. Ugh.

Just out of curiosity, how would staying off the internet help? Wouldn't the systems of these sites still be vulnerable, and thus our information at risk, even if we didn't log in?
 

Absolutely

Self-Heavy
Jan 25, 2006
33,634
4,413
578
Saint Louis
#12
This is all over my head.
Let's say I don't do any real banking online, and don't have anything of value in any emails. I do use my credit card to buy things online, but what can I do about that...
What, are people going to start posting as me on Tranny Forums now?
 

zagman76

Wackbagger, Geek, Administrator
Wackbag Staff
Nov 18, 2004
12,560
578
628
Long Island, NY
#14
Alright I'll change the passwords to the critical accounts... although I have hundreds of accounts and it takes me hours to reset the passwords... and I just did it two months ago. Ugh.

Just out of curiosity, how would staying off the internet help? Wouldn't the systems of these sites still be vulnerable, and thus our information at risk, even if we didn't log in?
This vuln existed for 2 years. Now that it's been exposed (and patched) - it gives attackers a method to be able to actively attack. So... if you were an attacker now you could start decrypting *live* 'Bank of FrankTheFrowner' data as opposed to the data blob you captured 18 months ago during which time your account password may have changed.

You can use these sites to test your suspected websites:
http://filippo.io/Heartbleed/
https://www.ssllabs.com/ssltest/
https://lastpass.com/heartbleed/
 
Last edited:

whiskeyguy

PR representative for Drunk Whiskeyguy.
Jan 12, 2010
36,214
21,810
398
Northern California
#15
God damn it, I just realized someone has hacked into my Facebook account and has been hitting on fat girls at 2:30 AM on the weekends. Somehow they also sent text messages and made calls to them from my cell.
 

WadsOfShit

Dead to Everyone on Wackbag.
Oct 10, 2013
7,023
5,902
158
#18
HOLY FUCKING SHIT!
 

whiskeyguy

PR representative for Drunk Whiskeyguy.
Jan 12, 2010
36,214
21,810
398
Northern California
#19
I just changed everything. What a pain in the ass.
You'll probably have to do it again this weekend, as not all sites are patched yet... either that or maybe not logging in with your new passwords might be safe enough. The bug allows hackers to read the exchange of information (from what I understand), so logging in is where the security threat lies.

If I'm wrong someone correct me.
 

Neon

ネオン
Donator
Mar 23, 2008
51,705
18,465
513
Kingdom of Charis
#20
You'll probably have to do it again this weekend, as not all sites are patched yet... either that or maybe not logging in with your new passwords might be safe enough. The bug allows hackers to read the exchange of information (from what I understand), so logging in is where the security threat lies.

If I'm wrong someone correct me.
The biggies all did, I'm sure. I just went off of this list that says which websites you should change your password in. I assume if they tell you to it means it's already patched.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-Tw-main-link
 

whiskeyguy

PR representative for Drunk Whiskeyguy.
Jan 12, 2010
36,214
21,810
398
Northern California
#21
Boom... two-factor authentication available for all members via Google Authenticator:
https://www.wackbag.com/account/two-factor
Another question maybe you can shed some light on... all these sites (Google, Facebook, Twitter) allow you to log onto other websites using your accounts with them (ex. I can log onto Tapatalk using my Google account). Is that safer than having separate passwords for every account? What about if you aren't using 2-factor authentication to do it?
 

Neon

ネオン
Donator
Mar 23, 2008
51,705
18,465
513
Kingdom of Charis
#23
I used one of the links Zag posted to test "Usbank.com", and it returned vulnerable, but then when I tested it again five minutes later it said it's secure.
See my edit above and go to the Mashable link.
 

whiskeyguy

PR representative for Drunk Whiskeyguy.
Jan 12, 2010
36,214
21,810
398
Northern California
#24
See my edit above and go to the Mashable link.
From that link:

Healthcare .gov

Was it affected: Unclear

Is there a patch: Unclear

Do you need to change your password: Unclear

What did they say: Healthcare.gov has not yet responded to a request for comment.

Of course they haven't!
 

zagman76

Wackbagger, Geek, Administrator
Wackbag Staff
Nov 18, 2004
12,560
578
628
Long Island, NY
#25
Another question maybe you can shed some light on... all these sites (Google, Facebook, Twitter) allow you to log onto other websites using your accounts with them (ex. I can log onto Tapatalk using my Google account). Is that safer than having separate passwords for every account? What about if you aren't using 2-factor authentication to do it?
In theory - yes, it's more secure because there is no username/password for "Frank's Hat Emporium" as you are using [insert OpenID / SSO provider here]'s authentication token programatically. Said token is encrypted data, and would look something similar to:
89pEYZPaQNTh9vfb3KRumsmzeF4UcT8bS4ZS
Frank's Hat Emporium never gets your [SSO PROVIDER] password, just an "A-OK: That is indeed [you]!" Ideally, these tokens are single use, and use perfect forward secrecy.
 
Top Bottom