Banner
Views: 785,338,423
Time:
25 users online: Advancedpillow,  Aja, Christian07, crith, Darolac,  Deeke, Duraner Hawkeye, Fermín Acosta Jr.,  FPzero, Green Jerry, Hayashi Neru, Imnever, kamekku14, Knucklesfan, Mr Scotsman, Nicoke42,  Noivern, RainbowShell, Ruberjig,  RussianMan, SiameseTwins, simon.caio, Stivi, Sweetdude, Yung Gotenks - Guests: 48 - Bots: 220 Users: 41,060 (1,542 active)
Latest: h2ofiremaster
Tip: Check for glitched graphics in all frames of an object or sprite (i.e., the ON/OFF block changing, etc...).Not logged in.
Heartbleed: Time to change your passwords again, folks
Forum Index - Sunken Ghost Ship - Forum Graveyard - Hot off the Press - Heartbleed: Time to change your passwords again, folks
Pages: « 1 »
This has been getting shockingly little attention for how huge it is. Heartbleed is the name given to an incredibly potent security exploit found in OpenSSL. In plain language, around two thirds of websites out there that use HTTPS, which is generally used for secure transactions, could have potentially been compromised at some point since Monday, with the potential for the server to reveal all information it receives from you to a hacker. This means names, passwords, emails, credit card numbers, bank information--literally anything that you send over the internet to these bugged servers could potentially be listened in on. Worse yet is that not only is this incredibly severe, but also completely undetectable.

The good news is that a fix is out. The...other (not necessarily bad) news is that it's not for us. It's for the servers and their owners. Servers that use the unpatched version of OpenSSL currently run the risk of having customer data stolen which, for obvious reasons, is a very bad thing. So before you do anything important over the interwebs you should make sure that the site is no longer vulnerable.

The better good news is that it seems like in the three-ish days since the bug's discovery most vulnerable websites have been fixed. Using the code from here I ran a test of the top 100 websites, and all 60 of them that had the exploit have since been patched. However, I highly recommend plugging your site into here before you send any personal information, from passwords to credit card information, though any HTTPS site. Also best to go around changing all of your passwords, especially ones used in the last two or three days. Better safe than sorry.
I should get a new layout.

Probably won't, though.
Website managers and the like need to spend less time dicking around and more time protecting their site from harm. Guess I have some passwords to change. It's sad that so much of the web relies on OpenSSL. Why not try something different?
A bit scary after reading about this. I do hope that the fix gets applied everywhere. I personally do not own any "sites" but thanks for the link!
Originally posted by HackerOfTheLegend
It's sad that so much of the web relies on OpenSSL. Why not try something different?

Like GnuTLS or Apple SSL, you mean?

--------------------
<blm> zsnes users are the flatearthers of emulation
And I read once that apparently 128 bit SSL encryption is 'so strong it would take longer than the current age of the universe to crack it'??

Complete and utter bull if you ask me, and this just proves it. I wish the 'officials' would stop messing about with false self advertising and just make something that actually works properly.
Originally posted by gibbl
words

You clearly didn't do your homework.
SSL has not been cracked. A specific implementation of SSL has been. This has nothing to do with key size.


But because I'm bored, let's check whether the numbers still hold water, or if 128-bit SSL is crackable within reasonable time. (This is probably tl;dr material unless you like seeing numbers bounce all across the place.)

The first step is looking up that document. It's here, and its HTTP headers say March 5, 2002.

Computers have evolved. The page says that as of twelve years ago, cracking 40-bit encryption took one week. This diagram says that making 95^10 guesses to what a password is takes ten days with cloud computing. (And even that is from 2012, but it's good enough.) That's roughly 65.7 bits. 40 bits takes 16 milliseconds. Performing a week's work in 16 milliseconds means your computer is 40 million times faster, which makes a huge dent in the time estimations.

But does that mean 128 bits takes shorter time than the age of the universe? According to my calculations, it takes 1.557 × 10^17 years to guess all possible keys at that pace, assuming the last key you try is the correct one. (You can halve it to get the average time taken, but I'll count with the worst case.)
The age of the universe is 1.4×10^10 years.

However, the password site doesn't tell which algorithm was used to create that graph, and fast password algorithms are millions of times faster than slow ones, so while it would take 11 million times the universe age to guess 2^128 passwords, it could be far faster to try 2^128 keys.

Then we can throw in that NSA most likely has specialized chips that can do nothing at all except decrypt. Since they won't need to worry about if they're decrypting or doing something else, they get faster at actually doing it. This chops off a few orders of magnitude.

Additionally, there are reasons to believe NSA's computers are a fair bit stronger than a rented cloud. That throws the numbers off by another couple orders of magnitude.

Combined, it may lead to 128-bit keys being crackable within a human lifespan. This suggests they can.

Of course there is a solution: Double the key size again, to 256 bits. That throws the numbers back into age-of-the-universe scale, where they belong. Security experts are paranoid, so that's what they're recommending.


But again, the amount of computing power NSA holds has nothing to do with this bug. Even 16777216 bits won't save you if you can ask the server to please tell you which bits are used.

--------------------
<blm> zsnes users are the flatearthers of emulation
Originally posted by Alcaro
Of course there is a solution: Double the key size again, to 256 bits. That throws the numbers back into age-of-the-universe scale, where they belong. Security experts are paranoid, so that's what they're recommending.

Fuck it. All the bits. Every user needs a terrabyte harddrive to themselves to handle their encryption key. All to hide "Penis123456".
I have a hard time remembering all my passwords except for the top websites I use most frequently, so I hope changing them wouldn't throw a dent in my routine. I also fear that there may be websites I have forgotten about because I go on them so rarely. If you do feel the need to jot them down, don't label which one is for which service, and don't keep it out in the open.

--------------------
Legacy custom music


How am I so creative? I think taking walks might have something to do with it.
Every single level I will ever make in SMM2 will be easier than Ultra Necrozma.
Originally posted by Sokobansolver
I have a hard time remembering all my passwords except for the top websites I use most frequently, so I hope changing them wouldn't throw a dent in my routine.

In the case of the Heartbleed bug, you really only need to worry about changing passwords for sites that use HTTPS in some way or form. More specifically, sites that used a vulnerable version of OpenSSL, but you won't always know who did.

As far as I know, SMWC doesn't use SSL, so you don't need to worry too much about changing your password, at least not because of Heartbleed. However, the fact that it doesn't use HTTPS means you should be careful on public networks, as people are able to sniff out passwords and cookies pretty easily on sites that don't use it. If you access SMWC from public networks frequently, I really wouldn't use the same password I use on SMWC for important things, like email or paypal accounts (though I'd use unique passwords for those services anyway). Someone who gets your SMWC password may not care specifically about your SMWC account, but if they can figure out your email, which would be pretty easy to do if it was right on your profile, they will likely try to use the password to get access to it. You could also use an encrypted VPN, but that might be overboard.

It's always a good idea to change up your passwords every once in a while either way.

Originally posted by Sokobansolver
If you do feel the need to jot them down, don't label which one is for which service, and don't keep it out in the open.

If you want to be really paranoid, there are a few password managers like KeePassX that store your passwords in an encrypted file that can be unlocked with either a password or file you keep on a USB drive or obscure folder or something.
It's not really a problem for me anyways.. I have multiple accounts on multiple sites (not against the TOS of the sites), but not this one. B*st*rds need to fix that if they haven't already.

Edit: Wait, if I use OpenVPN (256-bit encryption) 80% of the time, can hackers use HeartBleed to their advantage?, or no?
Originally posted by Alcaro
stuff

I don't know how I didn't see this earlier.

I think I may have given the wrong impression

Anyway, I never implied that it had been cracked, I was claiming that if they hadn't been going on about how SSL encryption is so good and all that, and they had actually been working properly on it, then they might have actually noticed the flaw in the system and had been able to fix it before something like this happened.

E: Oops, small bump.
Pages: « 1 »
Forum Index - Sunken Ghost Ship - Forum Graveyard - Hot off the Press - Heartbleed: Time to change your passwords again, folks

The purpose of this site is not to distribute copyrighted material, but to honor one of our favourite games.

Copyright © 2005 - 2019 - SMW Central
Legal Information - Privacy Policy - Link To Us


Total queries: 7

Menu

Follow Us On

  • YouTube
  • Twitch
  • Twitter

Affiliates

  • Talkhaus
  • SMBX Community
  • GTx0
  • Super Luigi Bros
  • ROMhacking.net
  • MFGG
  • Gaming Reinvented