• Hey Guest!
    British Car Forum has been supporting enthusiasts for over 25 years by providing a great place to share our love for British cars. You can support our efforts by upgrading your membership for less than the dues of most car clubs. There are some perks with a member upgrade!
    **Upgrade Now**
    (PS: Upgraded members don't see this banner, nor will you see the Google ads that appear on the site.)
Tips
Tips

Critical SSL vulnerability

Share this page

Basil

Basil

Administrator
Staff member
Boss
Offline
I received this from a good friend who works at one of our national labs. I think this one we take seriously. Not I have edited the name of the lab for his sake, but felt the information important. This was what he received from their IT department a short time ago.

"April 8, 2014: Because of an unpatched critical vulnerability in the encryption technology (OpenSSL) that protects data transmitted over the Internet, *********** has blocked remote access to **********โ€™snetworks until further notice (see this article and thisarticle on Ars Technica for more information about this vulnerability). This means that workforce members away from ********** will be unable to establish either VPN or remote (RDP) sessions using remote.**************.gov. If you are onsite, internal VPN and RDP connections are unaffected.

While these measures help protect **************โ€™s networks, please be aware that your familyโ€™s information is also at extreme risk because many of the HTTPS servers on the Internetuse OpenSSL technology. To help protect *********** and your family from loss of sensitive information, please minimize Internet shopping, banking, and accessing other secure (HTTPS) sites. We will send another messagewhen remote access has been restored at ************.
 
Thanks for the heads up.

Hadn't heard a thing about this 'til now.
 
Just heard about this on NPR. Sounds like it's time to change passwords....
 
Mickey Richaud said:
Just heard about this on NPR. Sounds like it's time to change passwords....
Click to expand...

Yep - have to change my `1234abcd to abcd1234 again. :jester:

Seriously, probably a good idea to change all the accounts, and hope all the sites have *already* fixed their problem before!

oy
 
Mickey and I obviously listen to the same radio station. Head it on NPR too. Thanks for the reminder.
 
I think I'd make sure that any secure site you use has updated their SSL before you update your password.
 
Basil said:
I think I'd make sure that any secure site you use has updated their SSL before you update your password.
Click to expand...

So, how would we know that? Remember, most of us know little to nothing about this stuff!
 
Mickey Richaud said:
So, how would we know that? Remember, most of us know little to nothing about this stuff!
Click to expand...
Well, what I did, at least for my online banking, is I called both of my banks. For other sites? like Amazon, Etc., I imagine they will be addressing the issue up front, but if not I'd contact them and ask.
 
Basil - that cnet link is *very* helpful. Thanks.

Also, the filippo.io "Heartbleed" server checkout page (link on the cnet page) seems helpful.
 
Here is a better checkout page: https://www.ssllabs.com/ssltest/

You just put in the domain and not the https part. for example: mybank.com

In case anyone has the thought of checking Britishcarforum, you would NOT put in britishcarforum.com because we don't use SSL for the main domain (it's a regular https:// not https). However, I do have secure certificates installed for my "host" domain (main server host) in which people who have web sites on my server would access their "cPanel" for example via my secure server. My server's host name is sarah.britishcarforum.com so if you put that in the search you will see that I am not vulnerable to the heart bleed.
Cheers
 
I solved the on-line banking issue and the phishing scams involved. It was real easy.
I refused to do any on-line banking.
Dave
 
So I called my bank about an hour ago and discussed the security problem; they assured me they knew about it and everything was fine and "it's safe to use their website".
I went to the ssllabs.com site and got this.... who do I trust?

bank.jpg
 
Gliderman8 said:
So I called my bank about an hour ago and discussed the security problem; they assured me they knew about it and everything was fine and "it's safe to use their website".
I went to the ssllabs.com site and got this.... who do I trust?

View attachment 32682
Click to expand...

Their certificate is associated with https://www4.citizensbankonline.com
Try that and the story is worse. They are not vulnerable to the heart bleed but they are vulnerable to another issue and get a grade of F
 
Basil said:
Their certificate is associated with https://www4.citizensbankonline.com
Try that and the story is worse. They are not vulnerable to the heart bleed but they are vulnerable to another issue and get a grade of F
Click to expand...
I looked again at the address and it shows "www3" not "www4". So I ran the address again using www3.citizensbankonline.com and this time it gave it a rating of "B".
I was going to schedule a payment but now I'm skeptical.
 
When I put my bank in it returns a message i don't understand - "
Hostname is on our "do not scan" list"
 
Just got off phone with IT department, after being on hold for 20 minutes, and was told they were working on it. Not real reassuring.
 
Read this morning it may take a LONG time to sort this all out.
 
Back
Top