Heartbleed - Are we vunerable?

NinjaCow64 · Apr 10, 2014

Yeah so everyone has been going on about this Heartbleed bug...I'm just curious, is CFC vulnerable/was vulnerable? I would just like to know in case I need to change my password.

ainwood · Apr 10, 2014

Well, unless someone wants to read your pms....

Our SSL certificate was regenerated 2 days ago, so it might have been our hosts fixing the problem. I asked them, and will let you know.

NinjaCow64 · Apr 10, 2014

ainwood said:
Well, unless someone wants to read your pms....

Our SSL certificate was regenerated 2 days ago, so it might have been our hosts fixing the problem. I asked them, and will let you know.

Yeah I guess it isn't that big a deal but it's better to be ~~extra-super paranoid~~ safe than sorry I guess.

ls612 · Apr 10, 2014

I changed my password this morning as a precaution, just to be safe.

Quintillus · Apr 10, 2014

What does CFC actually use SSL/TLS for, if anything? As far as I can tell, it's all plain text. I just tested logging in from a different browser where I didn't have "remember me" turned on, and it's all HTTP. Looking at the data that was sent in Fiddler, my username and password are both in plain text. Private messages are sent in plain text, too - it's private in that not everyone who's logged in to CFC can read your PMs, but if you were using public WiFi at a cafe, someone else in the cafe could read it if they wanted to.

So my conclusion is that CFC is not vulnerable because no encryption is used. But that also means that you should not be using the same password for CFC that you use for any site that you wish to actually remain private.

It might not be a bad idea for CFC to add encryption of at least passwords, since there probably are a lot of people who use their CFC password for everything else, too, but I don't know how feasible that is with vBulletin.

Nightinggale · Apr 10, 2014

Quintillus said:
It might not be a bad idea for CFC to add encryption of at least passwords, since there probably are a lot of people who use their CFC password for everything else, too, but I don't know how feasible that is with vBulletin.

I fully agree with that statement. Losing an account to a random stranger sounds quite bad as it would likely result in having to make a new account. Considering accounts have friends, post history and stuff like that, we really shouldn't rely on unencrypted transmissions for login details.
If you used your password for something else (shame on you :nono:

) it will just make it even worse.

Some servers use encryption for everything. I favour that solution as it avoids the risk of leaking session ids and similar stuff, and it makes it much easier to figure out which pages to encrypt.

Chieftess · Apr 10, 2014

ls612 said:
I changed my password this morning as a precaution, just to be safe.

Changing a password before the fix won't do anything if a system is compromised. Password changes would have to be done after the fix to be 100% certain.

Nightinggale · Apr 11, 2014

Chieftess said:
Changing a password before the fix won't do anything if a system is compromised. Password changes would have to be done after the fix to be 100% certain.

Heartbleed leaks data from memory meaning the action you can take to protect yourself on a compromised system is not to use it at all. That way your login info will stay on the disk and not in memory. Apart from that there is nothing the end user can do as Heartbleed is a server side bug.

However I think the complete lack of encryption on CFC is a far worse problem than CFC being hit by Heartbleed.

ls612 · Apr 11, 2014

Chieftess said:
Changing a password before the fix won't do anything if a system is compromised. Password changes would have to be done after the fix to be 100% certain.

Yeah, I know that. I was assuming that ainwood's post about the changed SSL certificates meant that the vulnerability had been patched (it would have been a big coincidence otherwise). I'm mainly concerned now as others have pointed out that there is no protection of any CFC related data, which makes changing passwords pointless. :crazyeye:

ainwood · Apr 17, 2014

The site does not use SSL.

furrykef · Apr 17, 2014

It doesn't have to be the main site. If another site on the same server uses SSL, or if the cpanel or something uses SSL, that could expose information too.

Not very likely, especially since the exploit only reveals 64 kb of random data, but the possibility still exists.

Nightinggale · Apr 17, 2014

ainwood said:
The site does not use SSL.

Isn't that a far worse problem than being hit by heartbleed? Rather than a breach of security, there is no security at all :eek:

Bulldog Bats · Apr 18, 2014

Another site I go to (talkbass.com - for bass players) just changed their entire format for security reasons. Their site was almost exactly like this site in format, but changed.

Tergiversater · Apr 19, 2014

Nightinggale said:
Isn't that a far worse problem than being hit by heartbleed? Rather than a breach of security, there is no security at all

Unless you use the password on CFC for other sites, you should be ok.

Hammer Rabbi · Apr 20, 2014

ainwood said:
The site does not use SSL.

Heh, that explains the "no results" i got from this site to test for it.

https://www.ssllabs.com/ssltest/analyze.html

Heartbleed - Are we vunerable?

NinjaCow64

Thought Bubble Thinker

ainwood

Consultant.

NinjaCow64

Thought Bubble Thinker

ls612

Deity

Quintillus

Resident Medieval Monk

Nightinggale

Deity

Chieftess

Moderator

Nightinggale

Deity

ls612

Deity

ainwood

Consultant.

furrykef

Chieftain

Nightinggale

Deity

Bulldog Bats

King

Tergiversater

Chieftain

Hammer Rabbi

Deity

Similar threads