Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Judiciary Pag
Kiith Paktu Curatores Veritatis Alliance
4
|
Posted - 2014.04.08 12:20:00 -
[1] - Quote
Is it time to start changing our passwords and stuff? I just ran some PoC code for this bug on my own server and was trivially able to get random bits of cookie data (containing logins/sessionIds) and even bits of PHP code. The fact that I can't even see this in the logs means the fallout of this bug is going to be enormous /o\
On reddit there is a fascinating thread with people trying this on big, well-known websites (i.e. Yahoo mail), unwise as that seems, but they are able to actually get login data for users, |
Herzog Wolfhammer
Sigma Special Tactics Group
4699
|
Posted - 2014.04.08 23:42:00 -
[2] - Quote
Bump.
This is HUGE.
I already tested a program freely available on the internet and ran it against a server I have control of to find it was vulnerable - so this is everywhere. Bring back DEEEEP Space! |
Sum Olgy
Future Corps Sleeper Social Club
59
|
Posted - 2014.04.09 19:40:00 -
[3] - Quote
CCP - you need to answer this. It's either 'Yes - we've patched so you should change your passwords' or 'No - we weren't affected'. |
|
CCP Eterne
C C P C C P Alliance
3391
|
Posted - 2014.04.09 20:13:00 -
[4] - Quote
No, we were not affected. We do not use OpenSSL on our server or any of our account services. EVE Online/DUST 514 Community Representative GÇ+ EVE Illuminati GÇ+ Fiction Adept
@CCP_Eterne GÇ+ @EVE_LiveEvents |
|
Padrone
Rennfeuer Curatores Veritatis Alliance
0
|
Posted - 2014.04.09 20:24:00 -
[5] - Quote
The IIS is faulty configured ! https://www.ssllabs.com/ssltest/analyze.html?d=secure.eveonline.com
- secure.eveonline.com still prefers older Cipher Suites , which are not using PFS by default ! - PFS is a must have for TLS1.2
|
Sum Olgy
Future Corps Sleeper Social Club
59
|
Posted - 2014.04.09 22:18:00 -
[6] - Quote
Thanks |
Sentient Blade
Crisis Atmosphere
1212
|
Posted - 2014.04.09 23:13:00 -
[7] - Quote
Perfect forward secrecy is desirable, but not essential. |
Steven Alfrir
Republic University Minmatar Republic
15
|
Posted - 2014.04.09 23:53:00 -
[8] - Quote
CCP Eterne wrote:No, we were not affected. We do not use OpenSSL on our server or any of our account services.
HOWEVER, store.eve.com (which is run by Musterbrand) was compromised (it has been patched), so if you used that at all, it is a good idea to change your passwords there. But nothing on the eveonline.com website itself, or for our game servers, was compromised. Good to hear that the eveonline.com is not affected but i changed my password since i logged into the Eve Online Store using the account i'm posting this with i changed it just to be safe and because i don;t want some thieve to go all steal all 49 ships i own plus all the ammo,hybreid charges and missiles used to keep my ships at top fighting condition.
|
Dun'Gal
Myriad Contractors Inc.
101
|
Posted - 2014.04.10 03:23:00 -
[9] - Quote
Funny anecdote on this, my roommate was in doing his taxes today and the lady preparing them was convinced that the heartbleed bug was a biological illness and millions of people were dieing left and right. When he questioned her about it, not having heard about it yet himself, she said "duh it's called bleeding heart, so obviously there hearts are bleeding". Ah the uninformed. |
Markku Laaksonen
EVE University Ivy League
442
|
Posted - 2014.04.10 13:00:00 -
[10] - Quote
And if we use the "Login with your existing EVE Account" option to log into the store? Would we need to change our EVE account password?
(I am, as Dun'Gal mentioned, one of the uninformed. Or at least not very bright.) DUST 514 Recruit Code - https://dust514.com/recruit/zluCyb/
EVE Buddy Invite - https://secure.eveonline.com/trial/?invc=047203f1-4124-42a1-b36f-39ca8ae5d6e2&action=buddy
|
|
Padrone
Rennfeuer Curatores Veritatis Alliance
0
|
Posted - 2014.04.12 09:25:00 -
[11] - Quote
Sentient Blade wrote:Perfect forward secrecy is desirable, but not essential.
SSL/TLS is desirable, but not essential ^^
https://www.ssllabs.com/ssltest/analyze.html?d=forums.eveonline.com -> all Session are encrypted with RC4, with no FS ! https://en.wikipedia.org/wiki/RC4
- in this way , your https Session is almost in Clear Text.
Fact is: use current techniques in accordance with the time.
Switching to TLS 1.2 is done in about 5 Minutes for a conscientious Admin . |
PrettyMuch Always Right
University of Caille Gallente Federation
28
|
Posted - 2014.04.13 00:53:00 -
[12] - Quote
I'm just gonna do nothing... if someone steals my ****, I'll either chalk it up to emergent gameplay or come here and make a long whining post before I quit. |
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |