Forum Index | Search | Register (New User) | Login (Existing User) | Who's Online | FAQ | Main Site

Technical Discussion
  >> Security Related Issues Previous thread View all threads Next thread


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | [3] | 4 | 5 | (show all)   Print Thread
Standard User bobble_bob
(fountain of knowledge) Thu 10-Apr-14 06:06:32
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post] 		 
No point resetting anything until the server are patched on everything you use
Standard User billford
(elder) Thu 10-Apr-14 06:29:28
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post] 		 
And it could happen (if Lady Luck was having an off day) that logging in to change your password would also disclose your new password...

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User bobble_bob
(fountain of knowledge) Thu 10-Apr-14 06:31:20
Print Post

Re: OpenSSL vulnerability


[re: deleted] [link to this post] 		 
2 step verification seems most secure way atm. Although it has been possible to bypass it it makes it alot harder to


Register (or login) on our website and you will not see this ad.

Administrator MrSaffron
(staff) Thu 10-Apr-14 09:56:11
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post] 		 
Along with other security phrases that password updates sometimes ask for......

Andrew Ferguson, [email protected]
www.thinkbroadband.com - formerly known as ADSLguide.org.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User billford
(elder) Thu 10-Apr-14 10:08:13
Print Post

Re: OpenSSL vulnerability


[re: MrSaffron] [link to this post] 		 
A day is always well started by spreading a little alarm and despondency grin

Bill
A level playing field is level in both directions.

__________Fold at Home_________________Planes and Boats and ... ______________BQMs: IPv4 IPv6
Standard User bobble_bob
(fountain of knowledge) Thu 10-Apr-14 10:35:39
Print Post

Re: OpenSSL vulnerability


[re: billford] [link to this post] 		 
Do wonder if this has been exploited yet. Been around for 2 years and apart ftom Yahoo accounts being compromised a fair bit, doesn't appear to be many reports of other sites suffering large scale account conpromises
Standard User deleted
(deleted) Thu 10-Apr-14 11:49:45
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post] 		 
In reply to a post by bobble_bob:
No point resetting anything until the server are patched on everything you use


Exactly. Could be counter-productive, in fact, exposing both old and new passwords.

Here's how it works.

Android 4.1.1 is vulnerable, so, reversing the attack, a malicious server could be used to extract passwords from your phone.

Scarily, we found our hosting and email providers' tech support to be totally clueless. Less scarily, though, it looks like their real tech people have already fixed most things and put measures in place to block the exploit whilst they fix the rest.
Standard User deleted
(deleted) Thu 10-Apr-14 12:14:34
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post] 		 
Right I've had a bit more time.

live.com does indeed not have SSL - it uses an HTTP 301 redirect. The redirect goes to another non-SSL site, which is a load balanced front end for mail.live.com which is itself an alias of www.live.com. That site finally pushes the client to login.live.com, another alias, which is HTTPS:

TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)

Probably the amount of redirects confused the tester, it was likely expecting no more than a single redirect via an HTTP 301 to a secure site.
Standard User bobble_bob
(fountain of knowledge) Thu 10-Apr-14 12:20:47
Print Post

Re: OpenSSL vulnerability


[re: deleted] [link to this post] 		 
How long realistically would it take all the major sites (email, banks etc) to update their servers?

No point changing passwords until they do
Administrator MrSaffron
(staff) Thu 10-Apr-14 13:20:27
Print Post

Re: OpenSSL vulnerability


[re: bobble_bob] [link to this post] 		 
http://www.telegraph.co.uk/technology/internet-secur...

Is a nice clear and easy to follow list, not perfect for the average human keeps it simple.

Andrew Ferguson, [email protected]
www.thinkbroadband.com - formerly known as ADSLguide.org.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Pages in this thread: 1 | 2 | [3] | 4 | 5 | (show all)   Print Thread

Previous thread View all threads Next thread
Jump to