News
Search Options ►Change your passwords
Site Update
We have been made aware of a devastating bug in SSL software, explained here. It is important that you change any passwords associated with sensitive information, such as banking passwords, PayPal, etc. just in case. Changing your passwords everywhere is probably a good choice!
Stay safe!
Posted by JAK
(#15) on Tue Apr 8, 2014 4:57pm
Posted on: Thu Apr 10, 2014 7:45pm
I am also a system administrator. The biggest issues are actually that passwords CAN be stolen. An attacker would have the ability to steal the decrypted password from the server so long as it is in memory. It is unlikely that a specific password was stolen, especially if application developers used proper encapsulation (deleting the memory as soon as the password was verified), but undoubtedly it is possible. Yahoo however is not actually as vulnerable as it appears as they enable Perfect Forward Secrecy. This makes it much harder for this particular bug to be a risk to them (though it still is).
The biggest issue though is that there are sites out there (like Aywas) who don't use ssl at all! Which is worse? A site where anyone who wants to can walk along and pick up your login info, or a site where anyone who wants to can walk along and have a shot in the dark at picking up your login info?
The openssl bug did not open up administrator capability to hackers. It simply opened up the ability to read system memory. The company I work for has been fielding questions all day about this, and we don't even use that version of ssl (We use IBM specific ssl software).
Please people, if you use the same password on this site as you do anywhere else, change it. I did not realize before (my wife is the primary user of this site) but ssl is NOT utilized here, and that is a far more dangerous security hole.
As far as the security of credit cards and banking accounts. Don't worry. Paypal, google, and a few others (most large sites) were never vulnerable. Openssl is not the only SSL implementation, and typically the larger a site, the less likely it is that they use it. The biggest offenders are likely to be small time sites which don't process any credit card data themselves.