The Wonderland Board

I'm pretty sure you've all heard about the Heartbleed bug, which causes millions of websites to be vulnerable. It works by having the server spit out their data from their RAM, which can contain sensitive information such as your personal information and passwords.

I'd just like to let you know that Wonderland Forums and WonderWiki are NOT affected by this bug.

Here's why:
1. Wonderland Forums and WonderWiki does not make use of SSL technology to secure your actions on the forums.
2. MS's server has OpenSSL 0.9.8 installed (you can verify here), and the Heartbleed bug only affects OpenSSL 1.0.1 and 1.1. WonderWiki server does use the affected versions, but since WonderWiki does not use SSL, you are not affected.

Now obviously I cannot speak for BMTMicro, MS's payment provider, but I am sure they have been working hard to mitigate the vulnerability.

If you are paranoid, do this:
1. Check if the service you use is affected by Heartbleed. If they have not patched, don't do anything on the website! Your information cold be leaked this way (although rather unlikely)
2. Change your passwords AFTER the service has patched their servers. Make sure to use a strong password to make the crackers' job harder.
3. Change your passwords every so often. Avoid using one password for all services - Password Managers like KeyPass and Dashlane should help you with achieving that.

Stay safe!
tyteen4a03

MS's server has OpenSSL 0.9.8 installed (you can verify here), and the Heartbleed bug only affects OpenSSL 1.1 and 1.2.

Hooray outdated-ness!

StinkerSquad01 wrote:

MS's server has OpenSSL 0.9.8 installed (you can verify here), and the Heartbleed bug only affects OpenSSL 1.1 and 1.2.

Hooray outdated-ness!

I've poked MS over and over to update his stack... he has done nothing.

OpenSSL 0.9.8 is stable and is safe to use, so nothing to worry about. PHP 5.2 on the other hand...

tyteen4a03 wrote:I've poked MS over and over to update his stack... he has done nothing..

-------------------------------------------
Fascinating topic.
I don't even understand a little bit of SSL; .
The HeartBleed problem seems to be of a temporary nature, thank goodness.

The HeartBleed Bug ::
http://heartbleed.com/
http://tinyurl.com/jvpaat6

I believe that (most) hackers were completely unaware of the HeartBleed
access, and that by the time they found out about it, it was already patched up.

OpenSSL -->> https://www.openssl.org/
---------------------------------------------------------------

Free CrypTool cryptography Downloads ::
http://www.cryptool.org/en/cryptool2-en
http://www.cryptool.org/en/cryptool1-en
http://www.cryptool.org/en/
..

The Heartbleed bug is not as easy to use as the press made it out to be, anyway. It compromises random 64K of server memory. Sure, a persistent attacker could repeat the exploit over and over, but the point is, it's not that easy to extract secret data from it.

Sure, the immediate reaction of any sensible specialist in the field is to panic, which has already happened.

Bruce Schneier wrote:Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

On the other hand, the same person later admits the picture isn't quite as clear:

Bruce Schneier wrote:I wonder if there is going to be some backlash from the mainstream press and the public. If nothing really bad happens -- if this turns out to be something like the Y2K bug -- then we are going to face criticisms of crying wolf.

Bruce Schneier quoting Cloudflare wrote:Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible.

Bruce Schneier wrote:We have one example of someone successfully retrieving an SSL private key using Heartbleed. So it's possible, but it seems to be much harder than we originally thought.

The Heartbleed bug is exploitable much more easily on Apache (judging by comments I've read) but it really depends on the circumstances. The cloudflare challenge was eventually cracked multiple times, proving the real danger to probably be somewhere between the catastrophic and the negligible.

To see a way someone cracked the cloudflarechallenge thing, read this: https://gist.github.com/epixoip/10570627

TLDR: Heartbleed, while one of the most serious and wide-reaching bugs ever, is not a vulnerability that can be randomly exploited by script kiddies. This is not "code it up and watch the server go boom". This is a vulnerability that can be exploited by a serious, persistent hacker who is probably not surfing around cracking random servers. Script kiddies who "just want to watch the world burn" get much more use of thousands of unprotected sites with stupidly simple vulnerabilities.