News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Heartbleed - Major Security Bug all over the internet

Started by PLAYBOY, April 08, 2014, 10:34:15 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

PLAYBOY

April 08, 2014, 10:34:15 AM
I think this is very new! Please let me know if SMF hasnt patched it yet or if they need to at all as sooo many sites would be in danger right now!
http://heartbleed.com/

Illori

#1
April 08, 2014, 10:37:06 AM
openssl, is a server side app not something that would be part of SMF.

http://en.wikipedia.org/wiki/OpenSSL

PLAYBOY

#2
April 08, 2014, 10:51:05 AM
Ok. As long as the software is safe. Should we worry about it if we dont use Openssl in our server?

Kindred

#3
April 08, 2014, 07:37:21 PM
no
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Fern

#5
April 16, 2014, 12:26:22 PM
The simplistic response given rather ignores that anyone's good name and position of trust may well have been compromised since it can evidently leak ALL server memory as circumstances arise, including passwords. At the very least a password change should be forced?

Kindred

#6
April 16, 2014, 02:42:35 PM
Fern, sorry, but you have no idea what you are talking about.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Storman™

#7
April 16, 2014, 02:52:19 PM
There's so much misunderstood information out there regarding Heartbleed thats it's creating unnecessary panic for many.

Even the BBC News reader described it as a virus....  ::)

Colin

#8
April 16, 2014, 02:55:01 PM
Quote from: Fern on April 16, 2014, 12:26:22 PM
The simplistic response given rather ignores that anyone's good name and position of trust may well have been compromised since it can evidently leak ALL server memory as circumstances arise, including passwords. At the very least a password change should be forced?

Why should they be concerned when they weren't even using the software that had the vulnerability?
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

LiroyvH

#9
April 16, 2014, 03:18:56 PM
Quote from: Fern on April 16, 2014, 12:26:22 PM
The simplistic response given rather ignores that anyone's good name and position of trust may well have been compromised since it can evidently leak ALL server memory as circumstances arise, including passwords. At the very least a password change should be forced?

No. Only information encrypted with SSL could be obtained from memory.
Websites not using SSL have nothing to fear from heartbleed.
Read yourself in here: http://www.simplemachines.org/community/index.php?topic=521203.0
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Fern

#10
April 17, 2014, 08:44:23 AM
It's precisely for caveats like "if ssl is used," that it's worth a mention.

For example, what about the client side, even for the original poster? One insertion vector is all  it takes for a 19 year old undergrad.

And is it seriously possible to expect that all implementations of SMF require its users to log in insecurely AND without SSL?

And have all of the various exploits written over the past 16-20,000 hours been disclosed? 

I'll stick with recommending or forcing a password change. Its good policy regardless, not fear mongering.

Storman™

#11
April 17, 2014, 10:06:40 AM
QuoteNo. Only information encrypted with SSL could be obtained from memory.

And more precisely only that using the TLS protocol  ;)

Other aspects of SSL are not affected.

Fern - don't talk riddles, back up what you saying with firm evidence. Currently you are just rambling and talking non sense. Granted asking members to change their passwords is good practice but its irrevelent if the site has not used ssl as part of their implementation AND running vulnerable versions of openssl.

LiroyvH

#12
April 17, 2014, 10:22:17 AM
Quote
It's precisely for caveats like "if ssl is used," that it's worth a mention.

Yeah, that's why that post I linked to was made...

Quote
For example, what about the client side, even for the original poster? One insertion vector is all  it takes for a 19 year old undergrad.

Irrelevant to this subject and very poorly explained exactly what you're on about.

Quote
And is it seriously possible to expect that all implementations of SMF require its users to log in insecurely AND without SSL?

No, read the explanation post rather than shouting without reading... You might even learn something. :)

Quote
And have all of the various exploits written over the past 16-20,000 hours been disclosed?

... So you mean in the past 2 ~ 2.5 years. If I had to change my password for each exploit that does not affect me at all, I'd be having a password change every 100MS.
If you're afraid that every exploit being found/created all the time is a danger to you i'd be ditching your computer. ;) ... Or at least unplug the internet cable.

Quote
I'll stick with recommending or forcing a password change. Its good policy regardless, not fear mongering.

On sites that use SSL that certainly is a good policy, as Storman also already confirmed and as has been mentioned on multiple sites... Including this one.
And changing it once in a while on any site is not bad either, as long as you don't have to write it down when you do...
Your previous post, however, certainly was nothing more than ill-informed fear mongering.


Anyway, from what I can see: the OP's question has been answered.
Locking this topic now.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.
Print
Go Up Pages1
User actions
Advertisement: