denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_maintenance2014-04-08 08:16 pm

"Heartbleed" security vulnerability

For those who have seen reference today in the press to the "Heartbleed" security vulnerability in OpenSSL, we'd like to reassure you that although we (like a large portion of the internet) were running the affected software, we patched our servers last night and were no longer vulnerable from that point.

We have no reason to believe that anyone was exploiting this vulnerability against us or that any user data has been compromised. We'll be changing our security certificates for extra confidence.

On the other hand, the nature of this vulnerablity means that it's impossible for a website to know for absolute certain whether someone was exploiting it. If someone was exploiting the vulnerability, against us or against any other website, they potentially have access to any information you sent to the site, including your username/password for the site and any data you sent to the site under HTTPS. It's a good idea to change your passwords pretty much everywhere, but don't do it until you can verify that a site is no longer vulnerable.

If you have any questions, feel free to ask!
mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)

[staff profile] mark 2014-04-09 12:19 am (UTC)(link)
If you want more background details on the bug: http://heartbleed.com/ It's pretty gnarly.

Edited: Dreamwidth has now rotated our SSL certificates. If they had been compromised (which is pretty unlikely, given the particulars of the bug), then they're no longer.
Edited 2014-04-09 09:09 (UTC)
highlyeccentric: Sign on Little Queen St - One Way both directions (Default)

[personal profile] highlyeccentric 2014-04-09 09:51 am (UTC)(link)
Suspicious minds want to know... who's running this heartbleed site, and is there any chance that someone is playing a long con?
highlyeccentric: Sign on Little Queen St - One Way both directions (Default)

[personal profile] highlyeccentric 2014-04-09 12:21 pm (UTC)(link)
Cool cool. I eventually tracked down the citation to cryptonomicon, but having no authority in this area myself, yet feeling obliged to report/explain it to friends and relations, thought I'd better ask suspicious questions first!
fuchsian: (araragi)

[personal profile] fuchsian 2014-04-09 11:26 am (UTC)(link)
"This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team."

[personal profile] decepticon_mistress 2014-04-09 12:29 am (UTC)(link)
Yikes! Sure hope that nobody exploited Dreamwidth and its users.
sarajayechan: who drew this?? (L'Arachel/Eirika)

[personal profile] sarajayechan 2014-04-09 01:23 am (UTC)(link)
Someone talked about this on tumblr a while ago. Looks like I have some passwords to change.
kyrielle: A photo of kyrielle, in profile, turned slightly toward the viewer (Default)

[personal profile] kyrielle 2014-04-09 01:28 pm (UTC)(link)
Thank you for those links! I was wondering how on earth to figure out which ones were safe/patched, if they didn't announce it where I could see it. :)

Also, oh goodness, all the passwords. Meh. This will take a while.... O.o
groovesinorbit: giles approving (giles-thumbs up)

[personal profile] groovesinorbit 2014-04-09 01:31 pm (UTC)(link)
Thanks for posting these links. Very helpful!
the: (michelangelo ☛ ( what time is it? ))

[personal profile] the 2014-04-09 01:33 am (UTC)(link)
could they have named it anything cooler?
the: (p. pie  ☛ ( calm down crazy ))

[personal profile] the 2014-04-09 01:41 am (UTC)(link)
daaaang. that is one good-lookin' bug!

Password management

[personal profile] babysprite 2014-04-09 01:37 am (UTC)(link)

Understood.

I'll change my password ... just in case.

Thanks for keeping us in the know.

/\__/\
(='.'=)
(")_(")
MUSIC: John Prine and Iris Dement - In Spite of Ourselves

[personal profile] alexbayleaf 2014-04-09 02:33 am (UTC)(link)
There's some discussion about this, and whether you need to change all your passwords, over in my journal. Spoiler: I take the view that you don't need to change everything, just the important stuff. What's important will, of course, depend on your own circumstances, but when "all your passwords" can mean hundreds of sites, you will probably want to prioritise.

[personal profile] alexbayleaf 2014-04-09 02:59 am (UTC)(link)
Heh, yeah :) Unfortunately this morning I woke up to a huge swathe of my twitter list panicking about the world ending or something, because that's the way the media's been pitching it, so I've spent a good part of my morning talking them down.

[personal profile] alexbayleaf 2014-04-09 03:13 am (UTC)(link)
I have some sort of philosophical thoughts about how this filtered out into mainstream media, here. I refrained from posting in this thread because it didn't really seem the right place, but you might be interested?
vlion: cut of the flammarion woodcut, colored (Default)

[personal profile] vlion 2014-04-09 03:51 am (UTC)(link)
Most people tend to share passwords between sites. Myself included (but steadily less so).

This vuln means that if I pick up your user/pass on oldknittingneedles.net, I don't care what I can do with it on OKN, but I sure care that I might be able to hop into your email or other critical data pieces with it.

Were I blackhatting, I'd have jumped on this, written an automatted memory scanner that hunted credentials for the top 100,000 sites, unleashed it with a botnet, sat back, and seen what sort of cross-logins into highly valuable sites I could start driving from known-good user/passes. =)

[personal profile] alexbayleaf 2014-04-09 06:05 am (UTC)(link)
That's why you should change your password on any site that is critical (whether that's email or whatever). But if you get my user/pass from oldknittingneedles.net and then find you can use it on cutekittenpics.com and ratemypencil.com... who cares? My point is: know what your critical passwords are and take care of them, but don't sweat the small stuff if the bother of changing it is greater than the cost of losing it.
sharpiefan: Hornblower, hand over face (HH facepalm)

[personal profile] sharpiefan 2014-04-09 11:13 am (UTC)(link)
I take pretty much this view and always have. My RP accounts share a password (except staff accounts), and things like Paypal and Amazon get their own secure passwords that I don't then use on any other site. I do my best to ensure that passwords aren't guessable either.

This whole thing is pretty much not what I wanted to wake up to this morning. Oh well.

Who's for a coffee?
quirkytizzy: (Default)

[personal profile] quirkytizzy 2014-04-09 02:42 am (UTC)(link)
Really glad to know we have you guys on our side!
zelinxia: (Default)

[personal profile] zelinxia 2014-04-09 03:32 am (UTC)(link)
Saw this on tumblr. There's a good, lengthy list of sites on github that says which are vulnerable and which aren't; or do not use SSL here.
solitarywalker: (Default)

[personal profile] solitarywalker 2014-04-09 03:42 am (UTC)(link)
Stupid question, this site uses HTTPS? I've long wished that it did; all the urls/pages seem to just be HTTP.
ieune: kneeling lamb apparently smiling at camera (smile)

[personal profile] ieune 2014-04-09 08:10 am (UTC)(link)
a lot of yak-shaving Thanks for the giggle. I really needed it this morning, and nothing related to the above either.
solitarywalker: (Default)

[personal profile] solitarywalker 2014-04-26 03:56 pm (UTC)(link)
As a free user, HTTPS is a feature I'd consider worth paying for. But ideally, what I'd want to see encrypted would be not just all my DW activity but also other peoples' views of my entries, including from their Reading pages. (If my entries are protected when I read them but not when someone else does, that doesn't do much good.) But if most people have at least 1 paid account in their circle, that's a lot of reading pages to send through HTTPS, so then the economics might not work out? These yaks are pretty hairy I guess...
kanagosa: My dragonsona (Default)

[personal profile] kanagosa 2014-04-09 04:04 am (UTC)(link)
Thanks for the update!
ironed_orchid: pin up girl reading kant (Default)

[personal profile] ironed_orchid 2014-04-09 05:12 am (UTC)(link)
As usual, Dreamwidth is the first service I use to actually make a statement to users about this.

Thanks for being awesome.
dil: (Default)

[personal profile] dil 2014-04-09 07:55 am (UTC)(link)
As far as I understand the main problem is stealing private keys and using them in MITM attacks, so replacing certificates is the right idea.

Thanks for paying attention to this.
emperor: (Default)

[personal profile] emperor 2014-04-09 11:14 am (UTC)(link)
I assume you will be changing your SSL keys as well as the certificates?
alierak: (Default)

[personal profile] alierak 2014-04-09 03:51 pm (UTC)(link)
Yep.
white_jenna: (Default)

[personal profile] white_jenna 2014-04-09 12:11 pm (UTC)(link)
Thank you very much for the update, and for the test sites!
shirebound: (Default)

[personal profile] shirebound 2014-04-09 12:49 pm (UTC)(link)
Thank you for this timely post, and quick action.
1179875: (Default)

[personal profile] 1179875 2014-04-09 02:58 pm (UTC)(link)
Thank you! :D
tree_and_leaf: Isolated tree in leaf, against blue sky. (Default)

[personal profile] tree_and_leaf 2014-04-09 03:26 pm (UTC)(link)
Deleted two comments because I realised I wasn't replying to the post I thought I was - but thank you for your prompt action and explaining what's going on.
the_marshal: (Default)

[personal profile] the_marshal 2014-04-09 04:10 pm (UTC)(link)
Just to clarify: I actually happened to purchase some services from DW yesterday, but my passwords from here and my banking website are entirely different. Since you don't store credit card numbers there's not chance it got swiped right?
the_marshal: (Default)

[personal profile] the_marshal 2014-04-09 10:28 pm (UTC)(link)
I see! Thank you.

I've already changed my password over at my banking website - it seemed to be clear according to the previously linked tools - so I'll just keep an eye on things and not let myself worry about it too much.

Thank you for taking the time to explain it for me. :)

[personal profile] knight_of_angels 2014-04-10 11:24 am (UTC)(link)
Thank you for posting this! Your efforts are greatly appreciated.
redsixwing: Red-winged angel staring at a distant star. (Default)

[personal profile] redsixwing 2014-04-10 04:09 pm (UTC)(link)
You're awesome. Of all the sites I use, DW has been the fastest and clearest about what was done to get around Heartbleed.

Also, I am highly interested in always-https mode once your yaks are properly shaved.

I needed a new password algorithm anyway. *cough*