TechSpot

LastPass now includes recommendations for Heartbleed

  1. This week, security researchers discovered a major bug called Heartbleed that affects almost two-thirds of the Internet, potentially exposing millions of passwords, credit card numbers, and other valuable information. Many popular websites like Yahoo, OkCupid, Github, and more were vulnerable.

    Read more
  2. Cycloid Torus

    Cycloid Torus TS Booster Posts: 181   +39

    Who else is offering 'checker' services? What can you trust?
  3. treeski

    treeski TS Guru Posts: 875   +130

    So, what about Techspot?
  4. Per Hansson

    Per Hansson TS Server Guru Posts: 1,930   +123 Staff Member

    Heartbleed only affects SSL enabled websites (https) which Techspot has so far never been...
    I must also say that the article is extremely sensationalist, they say two thirds of the internet's web facing servers.
    I beg to differ, most sites are not even SSL enabled and of those who are only a specific version of OpenSSL is vulnerable.
    Netcraft has real statistics incase you are interested: http://news.netcraft.com/archives/2...ed-websites-vulnerable-to-heartbleed-bug.html
  5. wastedkill

    wastedkill TS Maniac Posts: 1,148   +241

    Heartbleed... who choose that name??? Sounds like an actual disorder...
  6. jobeard

    jobeard TS Ambassador Posts: 13,407   +314

    @wastedkill it's a HEARTBEAT type protocol and was munged for the disclosure into a BLEED, due to bleeding private data

    To test the website you are accessing for this issue, see this website.

    and don't waste your time on HTTP links as @Per Hansson has noted :)
  7. wastedkill

    wastedkill TS Maniac Posts: 1,148   +241

    Ah ok I kinda get it now :)
  8. Raoul Duke

    Raoul Duke TS Enthusiast Posts: 301   +81

    Actually, to my dismay, Revenue Canada, the tax department for Canada has had to suspend online filing of income taxes until they fix this. They are even extending the deadline for filing your taxes. When the government is willing to delay taking your money, you know something is really wrong.
    TheLastPanda likes this.
  9. umbala

    umbala TS Rookie Posts: 19

    This is relevant to my interests.
  10. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,159   +174

    Well for a starter, Yahoo, Google, Microsoft are affected which affects practically everyone. Netflix is a massive one. Many Government websites. Banks have to check their sites as well. Credit/debit card terminals may be affected as well.

    To say it is sensationalistic is to understate the stakes here. Any service you use regularly that is susceptible (which any site you really care about should be using SSL anyway) should be at the very least checked. In plain text I could have your logins and I don't even need to intercept your comms on the wire. *That* is what we are talking about here. Every single login to a susceptible site in PLAIN TEXT just by sending some queries to the server.

    Edit: What's more you don't know WHO has the logon details. It could be the NSA, some high school geek, Russian crackers, Chinese crackers, the list goes on. Do *you* care about someone having unfettered access to those accounts? Sure for some sites you won't care...

    Also, it is an interesting point you make about Techspot. Not using HTTPS? Does that mean our logons are currently being sent in plain text over the web? If so are there plans to update this?
  11. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,159   +174

    Actually this is an interesting exercise. Maybe we should have a checklist of services you should look at and decide if you care about what they protect and have to do something about this?

    • Banks, credit institutions in general
    • Government logins (general govt ID sites, public healthcare services, voting enrollments)
    • Internet service provider account
    • Company payroll services
    • Email sites (Outlook, Yahoo, GMail, etc)
    • Private health sites
    • Insurance websites (car, personal medical, home & contents etc)
    • Other bill provider sites (your account being compromised might expose payment details to a hacker)
    • VPNs (your VPN service might be compromised and all your data and logins viewable by Govt, hackers etc). Corporate highly sensitive VPNs included. If they have random sequence tokens, sessions could still be viewed decrypted and possibly sessions stolen.
    • Online media services (Netflix, iTunes if affected, Samsung, Sony, Foxtel, Google)
    • Open source projects (GitHub, CollabNet etc)
    • Forums (probably low priority but can be used to harvest information)
    • (Edit) Games services such as Steam, EA, Battlenet
    • (Edit) Online website hosts. Inc cloud services like Azure.
    That's 5 minutes of me thinking out aloud. Question is which services would you care if they were compromised? The ones you want secure, I'd highly recommend you check if they are affected and when you can update your passwords.
    Last edited: Apr 11, 2014
     
  12. Jim Macdonald

    Jim Macdonald TS Rookie

    I tried the password checker this morning and it was great. Easy to use and worked very well. I would recommend LastPass to everyone.
  13. Per Hansson

    Per Hansson TS Server Guru Posts: 1,930   +123 Staff Member

    I did not mean to say that the issue is not serious, it most certainly is.
    But it just irks me when someone puts up a number like that which is blatantly incorrect.
    It's not "two thirds of the Internet"
    There is almost one billion websites on the Internet, and of those ca half a million have been vulnerable. While that is certainly a big number it is also only 0.5% "the Internet"
    Quite a far away from the 66.6% claimed by the article!
    The majority of online forums are running in plain text http only.
    I have been looking at switching to https but not for reasons of security, but speed.
    Google's SPDY protocol requires https...
    However after researching it things are not so simple, for example all content needs to be served via https, so all advertisements must support it. (Only a subset does, very hard to get an accurate number)

    Then there is also the problem that if someone would post an inline image for example in the forums linking to a regular http website that would throw up a warning about "insecure content" when you visit such a post, because as I mentioned _all_ content must be sent via https...
    So we would need to implement something to get around that aswell.
    All in all it's a very difficult change with questionable benefits for the end-users.

    But rest assured we are looking into it, however not because of Heartbleed or any such vulnerability.
    Truth be told if you look at the latest high-profile vulnerabilities they have all required https enabled websites, take a look at the security changelog on nginx.org for example...
    So one could argue that yes, passwords are sent in plain text but then again you should probably not use the same password for Techspot as you do for your online banking ;)
    Last edited: Apr 11, 2014
    TheLastPanda likes this.
  14. TheLastPanda

    TheLastPanda TS Member Posts: 58   +9

    Thank you for the info!!! Also a good point on passwords. If you don't have one for social media, one for your primary email, and one for banking then you are not doing the bare minimum.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.