Heartbleed, major SSL bug Options

[jimlongo]

Appears trivial for hackers to steal passwords, credit card numbers, etc., from secure connections on unpatched servers.
Story here -> https://www.schneier.com/blog/archives/2014...heartbleed.html

more technical story here -> http://arstechnica.com/security/2014/04/cr...roulette-style/

For the time being, I don't think it's too alarmist to check any site before you input anything sensitive.
Check a server here -> http://filippo.io/Heartbleed/

This post has been edited by jimlongo: Apr 9 2014, 04:47 PM

[pandy]

Thanks. Hadn't heard about that. Maybe that explains why my CSS number has been stolen 4 or 5 times the last 5 years or so. Bank says the most likely is that someone you hand the card to physically memorizes it, but you never hand any one your card anymore, they all got the DIY machines now.

[Frederiek]

More info here:
http://heartbleed.com
http://tidbits.com/article/14662
http://alistapart.com/blog/post/the-heartb...afe-for-a-while

[Christian J]

Maybe that explains why my CSS number

What's that, the security number on the backside of a credit card?

has been stolen 4 or 5 times the last 5 years or so.

From what I read the Heartbleed bug has only existed for two years.

Bank says the most likely is that someone you hand the card to physically memorizes it, but you never hand any one your card anymore, they all got the DIY machines now.

Probably a card skimming device can take a picture of the card number too. Or do you enter the number during online purchases? In any case 4 or 5 times sounds like an awful lot. I'd reevaluate all ATMs and physical card machines that you use, all websites where you enter the number, check your computer(s) for keyloggers, and perhaps change bank.

[pandy]

No, the actual number on the card, the long one.

Sure, skimming is also a possibility but the bank was adamant about it. But maybe they say that just so the robbed customer won't stop shopping online... On the other hand I've also had my card called back a couple of time because it may have been involved in a skimming. I have extremely bad luck with this. I think it's irritating that security is so bad when they more or less force us to use cards.

[Christian J]

Do you use your real card number online, or (much better) some kind of temporary "internet card number" issued by your bank? My bank previously offered the latter, but lately they've switched to "3-D Secure" which is just terrible: http://en.wikipedia.org/wiki/3-D_Secure#Ve...f_site_identity

I've also had my card called back a couple of time because it may have been involved in a skimming.

You're not using a VPN while shopping online? Banks may check all kinds of user data, including IP, so if your card appears to be used for purchases from all over the world maybe the bank's automatic security system react. OTOH, do sites involved with card payments routinely send your IP to banks?

I have extremely bad luck with this.

Almost impossibly so, unless you're using something that keeps harvesting each new card number you get.

[pandy]

Do you use your real card number online, or (much better) some kind of temporary "internet card number" issued by your bank? My bank previously offered the latter, but lately they've switched to "3-D Secure" which is just terrible: http://en.wikipedia.org/wiki/3-D_Secure#Ve...f_site_identity

SEB doesn't offer that. And frankly, I feels a little bothersome to have to log in to the bank and so on, several extra steps for each purchase.

I've also had my card called back a couple of time because it may have been involved in a skimming.

You're not using a VPN while shopping online? Banks may check all kinds of user data, including IP, so if your card appears to be used for purchases from all over the world maybe the bank's automatic security system react. OTOH, do sites involved with card payments routinely send your IP to banks? [/quote

No, not intentionally anyway. I sometimes use a VPN and it could vary well happen I shop while it's on, but that's nothing I think about. I don't see how that would affect skimming though. I guess they've discovered a skimming device at some place and recall all cards that has been used there around that time.

I have extremely bad luck with this.

Almost impossibly so, unless you're using something that keeps harvesting each new card number you get.

Something on my computer you mean? I don't think so. After all it's been a pretty long time between the incidents and they have never had my security number (the one on the back of the card), except possibly the last time. If it was a key logger or something they would have gotten that too. It's interesting some buys went through without it, but some failed. Also, I ran numerous scanners when it first happened. I've hardly ever had a virus even. The bank said it could also be pure chance. They sometimes just generate random number and test them with small purchases and then move on to bigger things with the ones that are valid.

[Christian J]

Maybe we should go back to the Heartbleed bug now (sorry about the OT jimlongo, I'll give myself and pandy one warning each).

[jimlongo]

Thanks you beat me to it.

I suggest in the short term to avoid any SSL site that doesn't pass this test ->http://filippo.io/Heartbleed/

If you run a server. Make sure the server is patched or not vulnerable. Regenerate any certificates. Then change all passwords.

"Really, is this necessary!?"

It's totally up to you. Just be aware of the risks. Personally I've changed my bank passwords even though they are the least likely to be affected. Server and email passwords. Gmail.

What I'm not going to worry about are the thousands of passwords to forums and other things that aren't encrypted to begin with.

[pandy]

I tried the test site with a range of sites and got a lot of the below.

[Error this or that]
Check what it means at the FAQ.
It might mean that the server is safe, we just can't be 100% sure!

[jimlongo]

generally means something like

-Windows IIS server
-doesn't work on non SSL sites
-could be obfuscated in some way
-don't use OpenSSL

I would imagine that most sites would be patched now. At least anything that considers itself reputable. But all that means is it's maybe safe to change your password there. If they haven't replaced their certificate yet then even that is not reliable since the old cert may be compromised.

A site has to be patched and have a new certificate in place.
And needless to say the site itself should have its passwords changed.

[Christian J]

Seems FileZilla Server (before version 0.9.44) is affected: https://forum.filezilla-project.org/viewtop...f=6&t=32694

But FileZilla Client (the ordinary FTP program) is not: https://forum.filezilla-project.org/viewtop...f=2&t=32703

[Christian J]

The (classic) Opera/Presto 12.16 (and earlier?) is also allegedly at least at risk from being affected, and a 12.17 patch has been released:
http://www.opera.com/docs/changelogs/windows/1217/
http://blogs.opera.com/desktop/2014/04/opera-12-17/