denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_maintenance2014-04-08 08:16 pm
  • Add Memory
  • Share This Entry

"Heartbleed" security vulnerability

For those who have seen reference today in the press to the "Heartbleed" security vulnerability in OpenSSL, we'd like to reassure you that although we (like a large portion of the internet) were running the affected software, we patched our servers last night and were no longer vulnerable from that point.

We have no reason to believe that anyone was exploiting this vulnerability against us or that any user data has been compromised. We'll be changing our security certificates for extra confidence.

On the other hand, the nature of this vulnerablity means that it's impossible for a website to know for absolute certain whether someone was exploiting it. If someone was exploiting the vulnerability, against us or against any other website, they potentially have access to any information you sent to the site, including your username/password for the site and any data you sent to the site under HTTPS. It's a good idea to change your passwords pretty much everywhere, but don't do it until you can verify that a site is no longer vulnerable.

If you have any questions, feel free to ask!
Flat | Top-Level Comments Only
vlion: cut of the flammarion woodcut, colored (Default)

[personal profile] vlion 2014-04-09 03:51 am (UTC)(link)
Most people tend to share passwords between sites. Myself included (but steadily less so).

This vuln means that if I pick up your user/pass on oldknittingneedles.net, I don't care what I can do with it on OKN, but I sure care that I might be able to hop into your email or other critical data pieces with it.

Were I blackhatting, I'd have jumped on this, written an automatted memory scanner that hunted credentials for the top 100,000 sites, unleashed it with a botnet, sat back, and seen what sort of cross-logins into highly valuable sites I could start driving from known-good user/passes. =)

[personal profile] alexbayleaf 2014-04-09 06:05 am (UTC)(link)
That's why you should change your password on any site that is critical (whether that's email or whatever). But if you get my user/pass from oldknittingneedles.net and then find you can use it on cutekittenpics.com and ratemypencil.com... who cares? My point is: know what your critical passwords are and take care of them, but don't sweat the small stuff if the bother of changing it is greater than the cost of losing it.
sharpiefan: Hornblower, hand over face (HH facepalm)

[personal profile] sharpiefan 2014-04-09 11:13 am (UTC)(link)
I take pretty much this view and always have. My RP accounts share a password (except staff accounts), and things like Paypal and Amazon get their own secure passwords that I don't then use on any other site. I do my best to ensure that passwords aren't guessable either.

This whole thing is pretty much not what I wanted to wake up to this morning. Oh well.

Who's for a coffee?
Flat | Top-Level Comments Only