Warning to change your passwords

[RosieC]

A recent security flaw has been found on the internet and experts are warning people to change all their internet passwords.

I don't know that this affects orchid board or not, I don't think this site uses SSL. However I'm sharing this warning because you might be using other sites that could have been affected (such as Flickr). Changing your password here (just in case) also can't hurt. I'm going to do mine.

See this BBC report for more info.

BBC News - Heartbleed Bug: Public urged to reset all passwords

[RandomGemini]

If the web server that OB is running on uses Apache, then OB IS affected because Apache uses OpenSSL.

Since 90% of the websites on the Internet are hosted on web servers running Apache, everyone who used web based anything should change their passwords immediately.

[RosieC]

Thanks, good to know.

Because of the name I thought it might be only SSL secured sites, but I'm changing all my passwords whether I think the site is affected or not. I would advise everyone to do the same.

[ALToronto]

OK, just to be a devil's advocate - what's the harm in having the OB password stolen by someone? Is a hacker with too much time on his hands going to post some spam under my name? Don't forget, this bug has been around for two years. Have we had an epidemic of sketchy posts made by members? Well, maybe we have, but they weren't made by impersonators.

I've changed my email password - that's the most important one that everyone should change. Banking is another biggie. Facebook, LinkedIn and Twitter should also be changed. But special interest forums - I have enough trouble remembering them every time I get a new gadget to login with.

We have the benefit of security through obscurity, and it's usually the most effective.

[RosieC]

I agree to some extent, and I'm not in a rush to change my passwords on most forums, more things like my google/email account, my Flickr account, my Facebook account.

Something else to be aware of. If OB is affected then it will need patching to get rid of the problem, until that is done changing your password here is pointless.

Changing your password on any unfixed site is pointless.

[RandomGemini]

Rosie, it is a bug in OpenSSL and TSL, but since these libraries are used by just about everything on the Internet, including stuff that you wouldn't think would need it, just about everything has the potential to be compromised from your Online Banking password, to your OB password. That's why this security alert is so scary to anyone working in IT today.

[RosieC]

Quote:

Originally Posted by ALToronto

Don't forget, this bug has been around for two years. Have we had an epidemic of sketchy posts made by members? Well, maybe we have, but they weren't made by impersonators.

One point made in the link I posted is that now it's been made public it's become really easy for hackers to make use of it... because they know it exists now.

---------- Post added at 07:47 PM ---------- Previous post was at 07:22 PM ----------

Quote:

Originally Posted by RandomGemini

Rosie, it is a bug in OpenSSL and TSL, but since these libraries are used by just about everything on the Internet, including stuff that you wouldn't think would need it, just about everything has the potential to be compromised from your Online Banking password, to your OB password. That's why this security alert is so scary to anyone working in IT today.

OK, while I work in IT, I don't do much in these areas so don't fully comprehend what this is.

My thought was that non-SSL sites can easily be compromised anyway.

Someone can intercept the messages sent from client to server and with a non SSL site like this someone could intercept the passwords anyway.

I thought this was a hole in the SSL to allow this to happen as well. However I will gladly bow to people with more knowledge on this than me.

[RandomGemini]

I think you're right, that is the general idea of what this bug allows to happen.