Heartbleed
 

Do any of us know whether FF uses OpenSSL for it's security? And whether it's likely to be fixed? In other news, you guys should all probably change your Facebook password, and probably also your Google password. Also Tumblr, Pinterest, Instagram, Yahoo Mail.

Here's a nice tracking page:

http://mashable.com/2014/04/09/heart...ites-affected/

For those of you wondering what all of this is about, xkcd has the simplest explanation I've seen:

http://imgs.xkcd.com/comics/heartbleed_explanation.png

That comic was still confusing.

Well the bug in SSL essentially allowed anyone to access whatever was in the server's RAM or main memory at the time. Now any processing that a computer does involved moving data from your normal file system to the RAM.

Now imagine there's a file 'supersecret.txt' on my Dropbox that I just accessed. The files contents are copied to main memory on the way to me. The contents of the file itself remain restricted to me, but whatever is within the main memory isn't really associated with my file any more once I'm done. It's just unstructured data sitting there, and can be overwritten at any time.

However, someone exploiting this bug can get it to spit out whatever is in the main memory and it will, because the server doesn't see the bunch of 1s and 0s as belonging to your file any more. And so any sensitive data may have been obtained. It's a crapshoot, but there's a chance of it happening.

Not all major websites used OpenSSL, but it is pretty widely used, so a lot of servers have been putting up patches for the flaw. Obviously changing your password is useless if the company itself hasn't patched their server.

Just spent about an hour waterproofing my passwords and making them all unique. Heartbleed's serious stuff.

I use a common root word for my passwords which are modified based on the name of the website I visit. If a human looks at them in plaintext, it's pretty obvious, but it should stand up to machine analysis haha.

EDIT: I found a better checking tool:
https://lastpass.com/heartbleed/

FF doesn't use OpenSSL.

Also, passwords are hashed before they are sent to the server and are salted and hashed again before being stored. Your passwords are safe even if someone does get in. Even I can't figure out what they are.

Hm, good to know, but that's probably standard procedure anyway. The danger is with the server's private keys being leaked via this bug. But it's a moot point anyway since we don't use OpenSSL.

Oh man I have to relearn all my passwords...

All my passwords are now random strings of letters and numbers, like addgag9a8duge7wg. I'm using a password-manager (Lastpass) with a strong master password to manage it all for me.

I'll take my chances hehe

Living life on the edge huh. reflected by your LoL gameplay.

This LastPass concept is so new.. I'm still trying to understand how that is safe?!

So the idea is that you don't have to remember any passwords anymore? What happens if you log into, say FB, from different computers, will LastPass carry over to other computers?

Yep, both my password and gameplay are unpredictable.

ugh I'm trying to reset my Tumblr account password because apparently had the Heartbleed bug, but I can't even remember my own password...

The idea is that you only have to remember one password, your master password for Lastpass and Lastpass remembers all other passwords for your other sites even if they're random gibberish.

I pretty much never need to log into sites that need my passwords from other computers but if I needed to at some point, I'd just download Lastpass onto that computer's browser and log-in from there. I think that you don't even need to download the extension, just go to the Lastpass site and get the info from there.

There's our problem for us office-bludgers xD

Indeed... I was thinking about all the different places I might log into things that requires passwords... and then I realise.. I'm probably a LOT less security conscious than Ivra..

I kinda feel like using someone else's computer is kind of like using their toothbrush xD

HAHAHAHAHAHA

Well that makes me think maybe I'm not THAT bad... Other than my home comp, it's generally just my work comp and mobile / tablet.. but that would still be 4 places that I'll need to install LastPass.. if I go with that...

Wth, you're not young enough to have a Tumblr.

I'M STILL YOuNG! !!

Heh...

I Snapchat too.

Omg. Do you have a WhatsApp too?

WHO ARE YOU SENDING YOUR NuDES TO?

I use whatsapp am I young too????

Maybe I'm just not hip...WHAT'S WRONG WITH TEXTING AND FB MESSAGING?

I'm sure our parents would love to hear the idea that using whatsapp = young...



^ Sometimes I think Lirange is older than us..

I still think he's 14.

DOES YOUR FAMILY HAVE A WHATSAPP GROUP?
I sometimes look 14

i bet you'd like to know.





my parents don't use WhatsApp, but they use WeChat. They invited me to join a group with them but I declined LOL The only reason I would use that app would be to chat with them.

I assume Lirange prefers the traditional texting and FB message.. he sounds like he's more old fashion than us keke

We do have a family whatsapp chat... so convenient!

I'm even in a cousins whatsapp chat with my hushand's family of cousins.. which is fantastic! I finally got to know his extended family who lives in the states that I hear a lot about.. I admire how close all the cousins are..

ohh, there's a difference between old-fashioned and old. cos I thought you meant old-mature which is def not the case for lirange 8D

Oh ok then old-fashion LOLOL

I'm totes mature.
Seems like my family isn't as communicative as yours Lool.

maybe when you're older.... hahaha