- joyote
- 04-10-2014, 08:00 PM
Have the necessary patches been installed to protect ECCIE and users of ECCIE.net from this widespread security flaw?
- LNK
- 04-10-2014, 09:19 PM
- Guest043014
- 04-10-2014, 09:56 PM
I heard these sites were effected by the bug and you should change your passwords if you have an account.
Google, YouTube and Gmail, Facebook, Yahoo, Yahoo Mail, Tumblr, Flickr, OKCupid Wikipedia.
I have a hobby email account with Gmail, so I will go ahead and change the password for it.
Google, YouTube and Gmail, Facebook, Yahoo, Yahoo Mail, Tumblr, Flickr, OKCupid Wikipedia.
I have a hobby email account with Gmail, so I will go ahead and change the password for it.
- Mokoa
- 04-10-2014, 10:07 PM
You may want to wait until the affected sites for which you have an account have addressed the issue. Changing your password before the issue is taken care of will only expose your new password the same way the previous password was exposed.
- laserface
- 04-10-2014, 10:29 PM
- joyote
- 04-11-2014, 05:39 AM
- ilikeitlikethat
- 04-11-2014, 08:06 AM
It would be nice if Eccie did put out a statement on this subject. P411 did.
- laserface
- 04-11-2014, 11:50 AM
That's good to hear, but how do you know this?The short answer is - about 20 years of experience with web servers and SSL.
It would be nice if ECCIE would put ou an official statement on this issue, Originally Posted by joyote
The longer answer is - anyone with knowledge of what SSL is and how it works can confirm this for themselves by watching their network traffic while browsing ECCIE (particularly when logging in) using something like the Developer Tools panel in Internet Explorer, Firebug in Firefox, or the Chrome Developer Tools in Chrome. Or just by looking at the page source for the various pages on ECCIE and seeing that "https:" is never used anywhere, other than for third-party ads (and these third-party servers, not operated or managed by ECCIE, wouldn't have access to things like your ECCIE credentials).
- Easyeddie
- 04-11-2014, 05:17 PM
So to put it another way
OpenSSL: false sense of security
No SSL: no security at all...
so if you're worried about whether ECCIE was affected...... well, that's the last thing to worry about...
OpenSSL: false sense of security
No SSL: no security at all...
so if you're worried about whether ECCIE was affected...... well, that's the last thing to worry about...
The short answer is - about 20 years of experience with web servers and SSL.
The longer answer is - anyone with knowledge of what SSL is and how it works can confirm this for themselves by watching their network traffic while browsing ECCIE (particularly when logging in) using something like the Developer Tools panel in Internet Explorer, Firebug in Firefox, or the Chrome Developer Tools in Chrome. Or just by looking at the page source for the various pages on ECCIE and seeing that "https:" is never used anywhere, other than for third-party ads (and these third-party servers, not operated or managed by ECCIE, wouldn't have access to things like your ECCIE credentials). Originally Posted by laserface
- jframe2
- 04-11-2014, 06:23 PM
The public knowledge of Heartbleed is months and months behind the Industry responses and the responses by users of OpenSSL.
It was hoped that the whole thing was to be kept under wraps by all parties concerned. How the problem got into the public media is going to be pretty interesting, if you are in the industry.
Change your passwords and move on with your life.
It was hoped that the whole thing was to be kept under wraps by all parties concerned. How the problem got into the public media is going to be pretty interesting, if you are in the industry.
Change your passwords and move on with your life.
- laserface
- 04-11-2014, 10:18 PM
So to put it another wayI wouldn't say that. "SSL" does not mean "security", nor does "no SSL" mean "no security". Keep in mind, what SSL does is that it stops (or at least makes it impractical to accomplish) information you send to/from a server from being observed or otherwise messed with by a third-party. (It does some other things too, but there's no need to get into that level of detail here.) Without SSL, the information you send and receive could be observed or changed while it's being sent across the network. However, to be able to do that, the bad guy needs to be in a "privileged position" on the network. The next-door neighbor who's snooping the packets on your wireless network and has somehow cracked your encryption key (you're still using WEP? Really?
OpenSSL: false sense of security
No SSL: no security at all...
so if you're worried about whether ECCIE was affected...... well, that's the last thing to worry about... Originally Posted by Easyeddie
). The guy at the table next to you who's snooping the packets on the wireless network while you're surfing the Internet on your laptop at your local coffee shop (where the wireless network probably uses no encryption at all). The technicians at your ISP - or, in fact, at any other network service provider that the data has to pass through to get where it's going. Your employer, if you're surfing the Internet via your employer's network. The FBI, if they've got a CALEA-authorized tap to monitor your network activity at your ISP (or at the server's ISP). The NSA, since they monitor everything, everywhere.... The point is, someone's got to somehow got to get a foothold in the actual network infrastructure in order to steal your information.By contrast, while the Heartbleed vulnerability does not allow an attacker to modify your network traffic, it has the potential to expose your information to ... anyone, anywhere... The best explanation I've seen so far about how the vulnerability works is:
http://xkcd.com/1354
In terms of how bad this vulnerability is, I've heard one information security researcher describe it as, "On a scale of 1 to 10, this is an 11."
While it would be ideal if ECCIE would use SSL, I can imagine some reasons why it might be difficult to implement (such as, having to provide positive ID and such to an SSL certificate authority...), and I'm sufficiently comfortable with the fact that they don't (though if ECCIE eventually did offer access to the site via https:, using a self-signed certificate or something, I'd certainly use it just to get the data encrypted in transit). If it is a concern to you, you can take some steps to significantly mitigate it. Use a different password on ECCIE than you use for anything else, and change it regularly. Don't browse ECCIE from public networks (like the local library, the nearby coffee shop with free WiFi, etc.), or from work. Make sure your home WiFi network uses strong encryption (WPA/WPA2). Some simple, common sense precautions should eliminate most of your concerns.
- LNK
- 04-11-2014, 10:29 PM
xkcd is the shit.
Thank you for your post, laserface.
Thank you for your post, laserface.
- Easyeddie
- 04-12-2014, 08:35 AM
Sigh. Yes. It was an oversimplification.
SSL or not, yes, someone has to be in a position to sniff your network data.
The point is Heartbleed is irrelevant to Eccie, not because it used a non OpenSSL protocol, but because it doesn't use SSL at all. Your data to/from eccie is being transmitted in clear text already.
SSL or not, yes, someone has to be in a position to sniff your network data.
The point is Heartbleed is irrelevant to Eccie, not because it used a non OpenSSL protocol, but because it doesn't use SSL at all. Your data to/from eccie is being transmitted in clear text already.