Heartbleed Bug

[SuperTaz]

http://www.foxnews.com/tech/2014/04/10/what-need-to-know-about-heartbleed-bug/?intcmp=features

 

  Quote

 

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week, called the “Heartbleed” bug.

 

The damage caused by the bug is currently unknown. But the security hole exists on a vast number of the Internet's Web servers and went undetected for more than two years. While it's conceivable that the flaw was never discovered by hackers, it's nearly impossible to tell.

 

  Quote

 

Qualys SSL Labs has created an online tool that lets visitors type in the names of websites to assess their vulnerability to the bug.

 

I checked Origin on this tool above, and it failed. You may want to change your passwords on Origin immediately.

 

https://www.ssllabs.com/ssltest/analyze.html?d=origin.com

 

While Steam did very well on the report:

 

https://www.ssllabs.com/ssltest/analyze.html?d=www.steampowered.com

[propbndr]

Thing is, unless origin has updated its software, changing your password will do no good. That is the warning that was in a couple of articles I read on the hack. It may get recorded again the next time you login.

Edited April 14, 2014 by propbndr

[-Slayer-]

    ..................  :facepalm: Just another thing to drive us crazy.

 

p.s good one origin, give up trying to play on the internet and hand all your games over to steam, you fail over and over with trying to wear the bigboy pants.

 

Not much good changing any info unless the security hole is closed to stop it.

 

I'm gunna change all mine to this.. :P

 

  Reveal hidden contents

username: imscrewed
password: whocaresyou'llgetitsomehowlol

 

 

 

  :popcorn_cat:

[propbndr]

This all says something about writing checks and using postal stamps to pay your bills.

[Benway]

  On 4/14/2014 at 1:13 AM, SuperTaz said:

I checked Origin on this tool above, and it failed. You may want to change your passwords on Origin immediately.

 

https://www.ssllabs.com/ssltest/analyze.html?d=origin.com

 

well ... thats down to spam distribution network CDN akamai blocks SSL-connections

 

 

Check your online-banking - not the landing page ... the netbanking.* onlinebanking.* subdomain - nice one :rolleyes:

 

  Reveal hidden contents

the one i have to use @work ...

Protocols 
TLS 1.2 No 
TLS 1.1 No  
TLS 1.0 Yes  
SSL 3 Yes 
SSL 2   INSECURE Yes 

Cipher Suites (sorted by strength; the server has no preference) 
SSL_CK_RC4_128_EXPORT40_WITH_MD5 (0x20080)   INSECURE 40 
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080)   INSECURE 40 
TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   WEAK 40 
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   WEAK 40 
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   WEAK 40 
SSL_CK_DES_64_CBC_WITH_MD5 (0x60040)   INSECURE 56 
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK 56 
SSL_CK_RC4_128_WITH_MD5 (0x10080)   INSECURE 128 
SSL_CK_RC2_128_CBC_WITH_MD5 (0x30080)   INSECURE 128 
TLS_RSA_WITH_RC4_128_MD5 (0x4)  128 
TLS_RSA_WITH_RC4_128_SHA (0x5)  128 
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  128 
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (0x700c0)   INSECURE 

... means, it is up to clients to disable SSL 2.0 in Browser configuration what is pretty much default;

Nevertheless, what is the point to open a https server for ssl 2.0? IE 3 users?

 

 

[Maester]

Even though Origin got an F it says its not vulnerable to the heartbleed attack?

 

https://www.ssllabs.com/ssltest/analyze.html?d=origin.com&s=23.79.219.9

[Pisi-Deff]

  On 4/14/2014 at 5:28 PM, Maester said:

Even though Origin got an F it says its not vulnerable to the heartbleed attack?

 

https://www.ssllabs.com/ssltest/analyze.html?d=origin.com&s=23.79.219.9

As Benway said, the only part that gets an F is Akamai, the ads/spam-distribution network. It holds none of your relevant information, thus there's nothing to fear.

[HSMagnet]

how do you get rid of akamai?

[Pisi-Deff]

Uh... Adblock?

[Benway]

not a Chance, i tried several 127.0.0.1 s in hosts years back, what broke all kind of stuff. I just left it with killing 24/7 Run&NOP update-monitoring-services (but AV, but that uses its own servers/proxies anyway) and set them to manual (and ReVo-uninstalled teh Mother of all LSOs, creepy adobe AiR); akamai was used for update services by many software companies mainly the big As; nowadays they hide behind some Random-Gibberish-deploy.akamaitechnologies.com domains anyway (what renders hosts close to useless) like google does with *.1e100.net. http://www.nirsoft.net/utils/cports.html
 
PS: Ahh LoL

[SuperTaz]

Both vBulletin and Invision Power Boards got good scores. :)

[Crotan]

  On 4/14/2014 at 7:04 PM, Pisi-Deff said:

As Benway said, the only part that gets an F is Akamai, the ads/spam-distribution network. It holds none of your relevant information, thus there's nothing to fear.

As far as I know they do far more than spam, a large chunk of enterprise level customer facing websites sit behind one CDN or another.

 

Doesn't this website use cloudflare? Same business model no?

Edited April 15, 2014 by Crotan

[Singh400]

  On 4/14/2014 at 2:17 PM, Benway said:

well ... thats down to spam distribution network CDN akamai blocks SSL-connections

Article is from 2009, I doubt their network setup is the same... :\

[Benway]

sure. As well rest assured the global MSG is still more than ever accurate,
 

  Quote

"Not unlike Google, Akamai has an enormous power to monitor users’ Internet usage and to control or even alter the messages that users send and receive. But while Google is repeatedly - if not often enough - held to the fire by privacy and civil liberties advocates, Akamai is mostly ignored."

but i am sure they got the backbone of a nudibranch err .. they will gladly help to watch what might endanger your national security.

cloudflare same biz mod? No. If i want, i can circumvent cf with little if any hassle. i cannot circumvent akamai at all, no matter what i want and i never was or will be asked - You? Tina