Heartbleed?

TheDeep · April 10, 2014

Is our photo hosting at smugmug affected by heartbeat? how about the dgrin forum? Should we change our passwords? Would like to confirm that my information is safe.

zacHer0 · April 10, 2014

*Heartbleed*

SmugMug has taken the recommended actions and are no longer affected by the issue. No need to take any further action.

I'm not sure about Dgrin but i will find out for you. I'm sure it is fine but I will double check.

TheDeep · April 10, 2014

Thank you for your quick reply. If Smugmug has taken action, does that meant that Smugmug was affected? If so, wouldn't that mean that we need to change our passwords now "post action"?

zacHer0 · April 10, 2014

TheDeep wrote: »

Thank you for your quick reply. If Smugmug has taken action, does that meant that Smugmug was affected? If so, wouldn't that mean that we need to change our passwords now "post action"?

No, you do not need to change your passwords.

zacHer0 · April 10, 2014

Update: Dgrin was not affected.

TheDeep · April 10, 2014

Thank you

Richard · April 11, 2014

zacHer0 wrote: »

*Heartbleed*

SmugMug has taken the recommended actions and are no longer affected by the issue. No need to take any further action.

I'm not sure about Dgrin but i will find out for you. I'm sure it is fine but I will double check.

Hmmm...this is not completely reassuring, Zac. The issue for SM, Dgrin, and everybody else on the Web is whether they had been vulnerable during the two years prior to the public disclosure of the bug. Even if data are not being exposed today, they might have been in the past. So the proper question to ask any site goes back to the McCarthy era: "Are you now or have you ever been [strike]a communist[/strike] vulnerable to heartbleed ?" I suspect that most companies are not going to be completely forthcoming about it.

Today's xkcd might help clarify the issue for non-techies:

If you have been following good password protection practices all along, it should not be a big deal to change the passwords of your critical accounts. If you use the same password everywhere, now would be a good time change them.

Richard · April 11, 2014

zacHer0 wrote: »

No, you do not need to change your passwords.

Well, maybe. If SM was never vulnerable you are safe as long as you didn't use the same username and password on any other Web site. But if you did use the same password on many sites, any one of them might have exposed your data. That's why this bug is so potentially dangerous.

Baldy · April 11, 2014

Richard wrote: »

Hmmm...this is not completely reassuring, Zac. The issue for SM, Dgrin, and everybody else on the Web is whether they had been vulnerable during the two years prior to the public disclosure of the bug. Even if data are not being exposed today, they might have been in the past. So the proper question to ask any site goes back to the McCarthy era: "Are you now or have you ever been [strike]a communist[/strike] vulnerable to heartbleed ?" I suspect that most companies are not going to be completely forthcoming about it.

Today's xkcd might help clarify the issue for non-techies:

If you have been following good password protection practices all along, it should not be a big deal to change the passwords of your critical accounts. If you use the same password everywhere, now would be a good time change them.

Hi Richard,

Our SSL provider is Akamai, who patched the bug sometime before it was publicly disclosed, because the OpenSSL team gave them advanced notice.

To the best of my knowledge we, along with Yahoo, Facebook, Google, etc., could have been compromised without us knowing. So out of an abundance of caution it seems like a good idea to change your passwords wherever you have sensitive data.

This mashable article looks like a pretty good reference:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

I hope this helps,
Baldy

Richard · April 11, 2014

Baldy wrote: »

Hi Richard,

Our SSL provider is Akamai, who patched the bug sometime before it was publicly disclosed, because the OpenSSL team gave them advanced notice.

To the best of my knowledge we, along with Yahoo, Facebook, Google, etc., could have been compromised without us knowing. So out of an abundance of caution it seems like a good idea to change your passwords wherever you have sensitive data.

This mashable article looks like a pretty good reference:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

I hope this helps,
Baldy

Thanks Baldy. I appreciate your frank reply.

shandrew · April 11, 2014

If you'd like to read some high quality technical analysis of the bug, check out http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

Richard · April 12, 2014

shandrew wrote: »

If you'd like to read some high quality technical analysis of the bug, check out http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

Interesting read, thanks. It does make it sound as if the sky isn't, in fact, falling over this one. Good to know.

ChancyRat · April 16, 2014

Richard wrote: »

Interesting read, thanks. It does make it sound as if the sky isn't, in fact, falling over this one. Good to know.

It appears this site has been updated to say that the article as originally written, was wrong.
Reference is to 12-ish today, I think. FYI.
http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

Heartbleed?

Comments