Heartbleed

[Vasu]

Do any of us know whether FF uses OpenSSL for it's security? And whether it's likely to be fixed? In other news, you guys should all probably change your Facebook password, and probably also your Google password. Also Tumblr, Pinterest, Instagram, Yahoo Mail.

Here's a nice tracking page:

http://mashable.com/2014/04/09/heart...ites-affected/

For those of you wondering what all of this is about, xkcd has the simplest explanation I've seen:

[Ralath]

That comic was still confusing.

[Vasu]

Well the bug in SSL essentially allowed anyone to access whatever was in the server's RAM or main memory at the time. Now any processing that a computer does involved moving data from your normal file system to the RAM.

Now imagine there's a file 'supersecret.txt' on my Dropbox that I just accessed. The files contents are copied to main memory on the way to me. The contents of the file itself remain restricted to me, but whatever is within the main memory isn't really associated with my file any more once I'm done. It's just unstructured data sitting there, and can be overwritten at any time.

However, someone exploiting this bug can get it to spit out whatever is in the main memory and it will, because the server doesn't see the bunch of 1s and 0s as belonging to your file any more. And so any sensitive data may have been obtained. It's a crapshoot, but there's a chance of it happening.

Not all major websites used OpenSSL, but it is pretty widely used, so a lot of servers have been putting up patches for the flaw. Obviously changing your password is useless if the company itself hasn't patched their server.

[Ivramire]

Just spent about an hour waterproofing my passwords and making them all unique. Heartbleed's serious stuff.

[Vasu]

Originally Posted by Ivramire

Just spent about an hour waterproofing my passwords and making them all unique. Heartbleed's serious stuff.

I use a common root word for my passwords which are modified based on the name of the website I visit. If a human looks at them in plaintext, it's pretty obvious, but it should stand up to machine analysis haha.

EDIT: I found a better checking tool:
https://lastpass.com/heartbleed/

[Entropy]

Originally Posted by Vasu

Do any of us know whether FF uses OpenSSL for it's security?

FF doesn't use OpenSSL.

Also, passwords are hashed before they are sent to the server and are salted and hashed again before being stored. Your passwords are safe even if someone does get in. Even I can't figure out what they are.

[Vasu]

Hm, good to know, but that's probably standard procedure anyway. The danger is with the server's private keys being leaked via this bug. But it's a moot point anyway since we don't use OpenSSL.

[Hessah]

Oh man I have to relearn all my passwords...

[Ivramire]

All my passwords are now random strings of letters and numbers, like addgag9a8duge7wg. I'm using a password-manager (Lastpass) with a strong master password to manage it all for me.

[Lirange]

I'll take my chances hehe