"Heartbleed" security vulnerability

[denise]

For those who have seen reference today in the press to the "Heartbleed" security vulnerability in OpenSSL, we'd like to reassure you that although we (like a large portion of the internet) were running the affected software, we patched our servers last night and were no longer vulnerable from that point.

We have no reason to believe that anyone was exploiting this vulnerability against us or that any user data has been compromised. We'll be changing our security certificates for extra confidence.

On the other hand, the nature of this vulnerablity means that it's impossible for a website to know for absolute certain whether someone was exploiting it. If someone was exploiting the vulnerability, against us or against any other website, they potentially have access to any information you sent to the site, including your username/password for the site and any data you sent to the site under HTTPS. It's a good idea to change your passwords pretty much everywhere, but don't do it until you can verify that a site is no longer vulnerable.

If you have any questions, feel free to ask!

Comments

[mark]

If you want more background details on the bug: http://heartbleed.com/ It's pretty gnarly.

Edited: Dreamwidth has now rotated our SSL certificates. If they had been compromised (which is pretty unlikely, given the particulars of the bug), then they're no longer.

[denise]

Thank you for taking care of all this! You are awesome.

[highlyeccentric]

Suspicious minds want to know... who's running this heartbleed site, and is there any chance that someone is playing a long con?

[denise]

The site belongs to the security researchers who found the bug and worked with the OpenSSL maintainers and the various Linux distros to get patched versions out quickly -- the site is just the description of the bug (which is easily verifiable by anybody who can read the code) to lay it all out for people clearly and cleanly. They're pretty firmly white hat.

[highlyeccentric]

Cool cool. I eventually tracked down the citation to cryptonomicon, but having no authority in this area myself, yet feeling obliged to report/explain it to friends and relations, thought I'd better ask suspicious questions first!

[ravengown]

"This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team."

[decepticon_mistress]

Yikes! Sure hope that nobody exploited Dreamwidth and its users.

[sarajayechan]

Someone talked about this on tumblr a while ago. Looks like I have some passwords to change.

[denise]

Check to make sure the site isn't vulnerable first (here's one tool; here's another) before you change your passwords on that site. If it's still vulnerable, changing your password won't do anything to protect your data, and if you reuse passwords (since people reuse passwords no matter how bad an idea it is), risks your accounts elsewhere too.

[kyrielle]

Thank you for those links! I was wondering how on earth to figure out which ones were safe/patched, if they didn't announce it where I could see it. :)

Also, oh goodness, all the passwords. Meh. This will take a while.... O.o

[groovesinorbit]

Thanks for posting these links. Very helpful!

[the]

could they have named it anything cooler?

[denise]

Ha, I know. It's a very attention-getting name! (And very appropriate, too, since the security flaw stems from the "heartbeat" function.) The security researchers who discovered it have a knack for both naming and graphic design.

[the]

daaaang. that is one good-lookin' bug!

Password management

[babysprite]

Understood.

I'll change my password ... just in case.

Thanks for keeping us in the know.

/\__/\
(='.'=)
(")_(")

MUSIC: John Prine and Iris Dement - In Spite of Ourselves

[alexbayleaf]

There's some discussion about this, and whether you need to change all your passwords, over in my journal. Spoiler: I take the view that you don't need to change everything, just the important stuff. What's important will, of course, depend on your own circumstances, but when "all your passwords" can mean hundreds of sites, you will probably want to prioritise.

[denise]

Well, my recommendation to people to change all their passwords is mostly based on the assumption that many people reuse passwords (or use passwords based on an easily-guessable site-specific variation). Also the fact that most people don't change their passwords as often as they should and anything that gets people to change passwords is probably a good thing ;)

[alexbayleaf]

Heh, yeah :) Unfortunately this morning I woke up to a huge swathe of my twitter list panicking about the world ending or something, because that's the way the media's been pitching it, so I've spent a good part of my morning talking them down.

[denise]

Yeah, I know what you mean. I can't count the number of people I've seen who are confused about whether this is something affecting their own computer's sofware or not. Why is mainstream tech journalist just so bad sometimes? Argh.

[alexbayleaf]

I have some sort of philosophical thoughts about how this filtered out into mainstream media, here. I refrained from posting in this thread because it didn't really seem the right place, but you might be interested?

[vlion]

Most people tend to share passwords between sites. Myself included (but steadily less so).

This vuln means that if I pick up your user/pass on oldknittingneedles.net, I don't care what I can do with it on OKN, but I sure care that I might be able to hop into your email or other critical data pieces with it.

Were I blackhatting, I'd have jumped on this, written an automatted memory scanner that hunted credentials for the top 100,000 sites, unleashed it with a botnet, sat back, and seen what sort of cross-logins into highly valuable sites I could start driving from known-good user/passes. =)

[alexbayleaf]

That's why you should change your password on any site that is critical (whether that's email or whatever). But if you get my user/pass from oldknittingneedles.net and then find you can use it on cutekittenpics.com and ratemypencil.com... who cares? My point is: know what your critical passwords are and take care of them, but don't sweat the small stuff if the bother of changing it is greater than the cost of losing it.

[sharpiefan]

I take pretty much this view and always have. My RP accounts share a password (except staff accounts), and things like Paypal and Amazon get their own secure passwords that I don't then use on any other site. I do my best to ensure that passwords aren't guessable either.

This whole thing is pretty much not what I wanted to wake up to this morning. Oh well.

Who's for a coffee?

[quirkytizzy]

Really glad to know we have you guys on our side!

[zelinxia]

Saw this on tumblr. There's a good, lengthy list of sites on github that says which are vulnerable and which aren't; or do not use SSL here.

[solitarywalker]

Stupid question, this site uses HTTPS? I've long wished that it did; all the urls/pages seem to just be HTTP.

[denise]

Yes, payments, logins, and password changes are done over HTTPS, for instance. (Logging in on a non-HTTPS page, such as through the navigation strip, is done with in-browser encryption.)

We do keep meaning to add "always-HTTPS" mode, even if only as a paid feature (because of load), but there's a lot of yak-shaving that has to be done first. It's on the list, though.

[ieune]

a lot of yak-shaving Thanks for the giggle. I really needed it this morning, and nothing related to the above either.

[solitarywalker]

As a free user, HTTPS is a feature I'd consider worth paying for. But ideally, what I'd want to see encrypted would be not just all my DW activity but also other peoples' views of my entries, including from their Reading pages. (If my entries are protected when I read them but not when someone else does, that doesn't do much good.) But if most people have at least 1 paid account in their circle, that's a lot of reading pages to send through HTTPS, so then the economics might not work out? These yaks are pretty hairy I guess...

[denise]

Yeah, exactly, plus all the technical stuff (both code-wise and infrastructure-wise). Every now and then I sit down and do the "what we'd need to get done first in order to do this" list and kind of whimper a little.

[kanagosa]

Thanks for the update!

[ironed_orchid]

As usual, Dreamwidth is the first service I use to actually make a statement to users about this.

Thanks for being awesome.

[dil]

As far as I understand the main problem is stealing private keys and using them in MITM attacks, so replacing certificates is the right idea.

Thanks for paying attention to this.

[emperor]

I assume you will be changing your SSL keys as well as the certificates?

[alierak]

Yep.

[white_jenna]

Thank you very much for the update, and for the test sites!

[shirebound]

Thank you for this timely post, and quick action.

[dickgrayson]

Thank you! :D

[tree_and_leaf]

Deleted two comments because I realised I wasn't replying to the post I thought I was - but thank you for your prompt action and explaining what's going on.

[the_marshal]

Just to clarify: I actually happened to purchase some services from DW yesterday, but my passwords from here and my banking website are entirely different. Since you don't store credit card numbers there's not chance it got swiped right?

[denise]

Well, the way this bug works is that there's a chance anyone who was exploiting it could watch "over the shoulder" of all encrypted traffic in addition to having access to things like passwords and the like, so if you made any payments at all, anywhere, between the time this bug was introduced (December of 2011) and now, there's a chance your card number was compromised. It's a very tiny chance -- there's no evidence this was being exploited "in the wild" before the disclosure was made -- but still, it's a chance. This isn't just something that we were affected by, it's something that pretty much the whole internet was affected by.

It's not a huge risk, though. Change your banking website password, keep an eye on your credit card and banking statements for a few weeks, but it's not "cancel all your credit cards" level of risk and I wouldn't worry too much if I were you. (I'm in the same boat as you of having used my credit card online somewhere post-disclosure-and-pre-patch and I'm not worried, and where I used it was a much higher-value target than DW was.)

[the_marshal]

I see! Thank you.

I've already changed my password over at my banking website - it seemed to be clear according to the previously linked tools - so I'll just keep an eye on things and not let myself worry about it too much.

Thank you for taking the time to explain it for me. :)

[knight_of_angels]

Thank you for posting this! Your efforts are greatly appreciated.

[redsixwing]

You're awesome. Of all the sites I use, DW has been the fastest and clearest about what was done to get around Heartbleed.

Also, I am highly interested in always-https mode once your yaks are properly shaved.

I needed a new password algorithm anyway. *cough*