Please change your passwords; SSL vulnerability patched

News and events are posted here. Threads also show up in the Latest News section.
User avatar
infurnus
Retired Staff / Community Team Member
Posts: 601
Joined: Tue May 29, 2012 9:40 pm
Location: Dusty SEGA Tapes
Clan: Unidoom
Clan Tag: UD
Contact:

Please change your passwords; SSL vulnerability patched

#1

Post by infurnus » Wed Apr 09, 2014 6:03 pm

Forums are temporarily closed while we sort out some security issues

The issue is described here: http://heartbleed.com
I strongly advise any system administrators that use OpenSSL to look into this as well

EDIT: Aaand we're back.

You are strongly advised to change your passwords. While there is no known leak of anyone's Zandronum.com passwords, I can't prove that every password is perfectly safe, so it's better to just change your passwords and avoid any paranoia. On the forums, you should manually log out and log back in to reset your session.

For the forums, you can change your password here if you are logged in:
https://zandronum.com/forum/usercp.php?action=password

You may also request a forum password reset at this page if you are unable to log in:
https://zandronum.com/forum/member.php?action=lostpw

To reset your Tracker password, go here:
https://zandronum.com/tracker/lost_pwd_page.php

To reset your Wiki password, go here:
https://wiki.zandronum.com/Special:PasswordReset

On IRC, you may use the command: /nickserv help set password

Change any non Zandronum.com passwords as well, for added security.

If you require any assistance in resetting your passwords, please contact admin@zandronum.com
Last edited by infurnus on Fri Apr 11, 2014 6:00 pm, edited 1 time in total.

User avatar
Slim
Zandrone
Posts: 1112
Joined: Sat Mar 16, 2013 7:11 am
Location: Zero Space
Clan: Can't fit it in here
Clan Tag: -=FSR=-
Contact:

RE: Forums are temporarily closed

#2

Post by Slim » Wed Apr 09, 2014 6:43 pm

Spoiler: Generic Response from the uneducated (Open)
"OH MY GERD ZANDYS BEEN HACKED BY NAZIS AND SHADOWCOCKS"
No not really, prolly just a check in security, sometimes paranoia gets the best of us.
Image

"Your childish antics grow tiring. If you dare to fight me, then I accept your challenge: Anytime, anywhere." - Zero, Megaman X5
Spoiler: Quotes (Open)
5:54 PM - Slim: you're complaining about something so small that
5:54 PM - Lance: so? we do that all the time
5:55 PM - Lance: we're a bunch of losers complaining at a bar minus the bar
Spoiler: Galactus tried evading (Open)
Image

User avatar
Dusk
Developer
Posts: 581
Joined: Thu May 24, 2012 9:59 pm
Location: Turku

RE: Please change your password; SSL vulnerability patched

#3

Post by Dusk » Wed Apr 09, 2014 6:54 pm

Whether someone exploited this on Zandronum before it was patched we have no way to tell. This is a grave-serious global scale security vulnerability affecting 500 000 web servers, Zandronum being one of them. Anyone's password could've been leaked to anyone, on any web service using OpenSSL. So it's recommended to change your passwords everywhere, not just here. I also recommend logging out and back in to invalidate your session ID which could've also been leaked.

EDIT:
<@Konar6> make sure to change your password AFTER the service provider updated their OpenSSL...
<@Konar6> if there's a way to know...
Last edited by Dusk on Wed Apr 09, 2014 8:10 pm, edited 1 time in total.

User avatar
StrikerMan780
Forum Regular
Posts: 279
Joined: Tue May 29, 2012 9:16 pm
Clan: Shadow Mavericks
Clan Tag: [SM]

RE: Please change your passwords; SSL vulnerability patched

#4

Post by StrikerMan780 » Wed Apr 09, 2014 9:26 pm

Thanks for letting us know. This announcement just helped me patch the vulnerability on my own webserver, so thanks for that too.

User avatar
Zalewa
Developer
Posts: 329
Joined: Wed May 30, 2012 3:28 pm

RE: Please change your passwords; SSL vulnerability patched

#5

Post by Zalewa » Thu Apr 10, 2014 5:30 am

I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.
Last edited by Zalewa on Thu Apr 10, 2014 5:31 am, edited 1 time in total.
Doomseeker - a real answer to cross-platform server browser.
Doomseeker dev builds - unofficial Doomseeker builds for Windows.
Gamer's Proxy - a program to emulate ping and packet losses.

Fluttershy
 
Posts: 40
Joined: Mon Jun 04, 2012 6:55 am
Location: Georgia, US
Clan: Moonlight Killers
Clan Tag: [MLK]
Contact:

RE: Please change your passwords; SSL vulnerability patched

#6

Post by Fluttershy » Thu Apr 10, 2014 7:35 am

Password was changed, and I appreciate the notice. Four other sites I visit rather frequently also were impacted by this, so I took the warning and editted the passwords on both.

Also, it would appear Tumblr was one of the ones impacted, too. It's a headline post if you have an account on there, urging those to change their password.
Image

Konar6
Retired Staff / Community Team Member
Posts: 455
Joined: Sun May 27, 2012 9:38 am

RE: Please change your passwords; SSL vulnerability patched

#7

Post by Konar6 » Thu Apr 10, 2014 9:04 am

Zalewa wrote: I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.
I believe this originates from the website using a self-signed certificate in past, generating ugly errors in browsers ("connection to this website is untrusted, get me out of here!"), which was scaring off users whenever they clicked a link to https.
Though it seems that the website is now using a certificate signed by authority (this is news), so Zalewa has a valid point. Technically it would be possible to force https by default.
Ijon Tichy wrote:I like how your first responses to concerns being raised was to start insulting people, accusing random people on the Internet of being Shadowfox, and digging up irrelevant shit from the past. It really inspires confidence in me that you guys are level-headed and rational folks.


<BlueCool> you guys IQ is the same as my IP, Dynamic

Metal
Retired Staff / Community Team Member
Posts: 577
Joined: Fri May 25, 2012 1:18 am
Location: Canada

RE: Please change your passwords; SSL vulnerability patched

#8

Post by Metal » Thu Apr 10, 2014 12:03 pm

This "heartbleed bug" was the same thing that effected the Canada Revenue site. It's very worrisome as that's a website that holds a lot of information on all Canadian tax payers. It might be a good idea to change all passwords on the websites you're frequently on.
<EazyDI>harrased me
<EazyDI>and called me a dinner
<EazyDI>n*****
<EazyDI>lmao not dinner

User avatar
Dark-Assassin
Maintenence Crew
Posts: 968
Joined: Fri May 25, 2012 4:25 am

RE: Please change your passwords; SSL vulnerability patched

#9

Post by Dark-Assassin » Thu Apr 10, 2014 2:05 pm

Could this bug be a part of how the Skulltag forums got hacked? Or was that just a PHP/PHPBB bug?

User avatar
infurnus
Retired Staff / Community Team Member
Posts: 601
Joined: Tue May 29, 2012 9:40 pm
Location: Dusty SEGA Tapes
Clan: Unidoom
Clan Tag: UD
Contact:

RE: Please change your passwords; SSL vulnerability patched

#10

Post by infurnus » Thu Apr 10, 2014 5:31 pm

Zalewa wrote: I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.
There's a workaround that's rolling out for this:
https://www.eff.org/https-everywhere

Metal
Retired Staff / Community Team Member
Posts: 577
Joined: Fri May 25, 2012 1:18 am
Location: Canada

RE: Please change your passwords; SSL vulnerability patched

#11

Post by Metal » Thu Apr 10, 2014 7:52 pm

Dark-Assassin wrote: Could this bug be a part of how the Skulltag forums got hacked? Or was that just a PHP/PHPBB bug?
That was exploits/security holes in the PHPBB software.
<EazyDI>harrased me
<EazyDI>and called me a dinner
<EazyDI>n*****
<EazyDI>lmao not dinner

Konar6
Retired Staff / Community Team Member
Posts: 455
Joined: Sun May 27, 2012 9:38 am

RE: Please change your passwords; SSL vulnerability patched

#12

Post by Konar6 » Thu Apr 10, 2014 9:18 pm

+ Rivecoder
Ijon Tichy wrote:I like how your first responses to concerns being raised was to start insulting people, accusing random people on the Internet of being Shadowfox, and digging up irrelevant shit from the past. It really inspires confidence in me that you guys are level-headed and rational folks.


<BlueCool> you guys IQ is the same as my IP, Dynamic

Jenova
Under Moderation
Posts: 199
Joined: Fri Jun 08, 2012 8:05 am
Location: Africa
Contact:

RE: Please change your passwords; SSL vulnerability patched

#13

Post by Jenova » Thu Apr 10, 2014 11:47 pm

Zalewa wrote: I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.
I don't understand what this post has to do with anything. Of course you could have your information stolen by connecting to random WiFi networks, that's how it has always worked.

There is a difference between someone stealing your information due to your own negligence, and someone stealing thousands of logins from major websites, banks, etc.

This is probably the biggest security leak in the last few years, as anything and everything can be exposed by openssl: plaintext passwords, hashed passwords, SSL certificates, session IDs, etc.

User avatar
Zalewa
Developer
Posts: 329
Joined: Wed May 30, 2012 3:28 pm

RE: Please change your passwords; SSL vulnerability patched

#14

Post by Zalewa » Fri Apr 11, 2014 7:10 am

Jenova wrote:
Zalewa wrote: I find it somewhat amusing that (...)
I don't understand what this post has to do with anything. Of course you could have your information stolen by connecting to random WiFi networks, that's how it has always worked.

There is a difference between someone stealing your information due to your own negligence, and someone stealing thousands of logins from major websites, banks, etc.

This is probably the biggest security leak in the last few years, as anything and everything can be exposed by openssl: plaintext passwords, hashed passwords, SSL certificates, session IDs, etc.
I actually think that it's very important to include information on how to be as secure as possible if you're sending a scary email to everyone saying that their passwords might've been compromised. While heartbleed is serious, and I'm sure that people have managed to exploit it to gain unauthorized access to private information, I can't shake off the feeling how similar is this situation to whatever is the popular global epidemic of the year. I'm actually more concerned about password leakage due to people using not secure connections.

Zandronum has SSL enabled, and it seems that our certificate is signed, so each link in the email and in this thread should be https, not http. If you can't provide https, you should explain to the users when it's safe and when it's not safe to use http. In fact, I believe you should do both of these regardless of the situation.
Last edited by Zalewa on Fri Apr 11, 2014 7:11 am, edited 1 time in total.
Doomseeker - a real answer to cross-platform server browser.
Doomseeker dev builds - unofficial Doomseeker builds for Windows.
Gamer's Proxy - a program to emulate ping and packet losses.

User avatar
infurnus
Retired Staff / Community Team Member
Posts: 601
Joined: Tue May 29, 2012 9:40 pm
Location: Dusty SEGA Tapes
Clan: Unidoom
Clan Tag: UD
Contact:

RE: Please change your passwords; SSL vulnerability patched

#15

Post by infurnus » Fri Apr 11, 2014 6:02 pm

Zalewa wrote: Zandronum has SSL enabled, and it seems that our certificate is signed, so each link in the email and in this thread should be https, not http. If you can't provide https, you should explain to the users when it's safe and when it's not safe to use http. In fact, I believe you should do both of these regardless of the situation.
For that one it's user error; when fetching the links from my browser's URL bar it had http results instead of the https that I use normally (I am working on fixing this on my end).
As for the rest, I have been trying to figure out why the email system sends http instead of https links (like in the new PM or thread reply emails), I'll talk to Blzut about it.

Crasger
 
Posts: 19
Joined: Fri Apr 11, 2014 6:48 am
Location: The tubes. That's where the country has supposedly gone down to.

RE: Please change your passwords; SSL vulnerability patched

#16

Post by Crasger » Sat Apr 12, 2014 2:14 am

Just a question...
Why would some go through lengths to register a domain and make a website as well as a logo just for a
COMPUTER BUG?

It seems like this is some hoax or advertising scheme. Since there's no evidence of it being used, and there's so much attention around it.
I've had enough of the news. They're nothing but opportunistic, sensationalist, scandalous and controversial fakes. This is their latest piece on how golf causes mass acts of violence:
[spoiler]
Image
Yes I am aware that that's a paddle and not a golf club. Sue me.
[/spoiler]

User avatar
ibm5155
Addicted to Zandronum
Posts: 1641
Joined: Tue Jun 05, 2012 9:32 pm
Location: Somewhere, over the rainbow

RE: Please change your passwords; SSL vulnerability patched

#17

Post by ibm5155 » Sat Apr 12, 2014 2:19 am

Too lazzy to change the boontuoteg password
Projects
Cursed Maze: DONE, V2.0
Zombie Horde - ZM09 map update: [3/15/13]
Need help with English? Then you've come to the right place!

<this post is proof of "Decline">

Lollipop
Zandrone
Posts: 1123
Joined: Tue Jul 24, 2012 10:34 am
Location: Denmark

RE: Please change your passwords; SSL vulnerability patched

#18

Post by Lollipop » Sat Apr 12, 2014 12:09 pm

I have not seen this flourish in the newspapers, even though it would be a 100% front page article. I dunno, but it seems a bit wierd to me too.
Spoiler: Modding Qualifications (Open)
ACS: If it's of ridiculous scope and of suicide-inducing complexity then it's the thing for me.
DECORATE: I can make more or less any godawful hack I need. Doesn't mean it works, though.
Maps: I only map for testing ACS.
GFX: Not enough time or experience.

If you need help, advice or similar, feel free to send me a PM. ;)
Spoiler: My Current Projects (Open)
> ZMemory
> Various undeveloped ideas. (This one is an immutable fact)
Combinebobnt wrote:i can see the forum league is taking off much better than the ctf ones
GalactusToday at 1:07 PM
are you getting uncomfortable jap
feeling something happen down there

User avatar
Luke
Forum Regular
Posts: 512
Joined: Mon Jun 18, 2012 6:32 pm
Contact:

RE: Please change your passwords; SSL vulnerability patched

#19

Post by Luke » Sat Apr 12, 2014 12:30 pm

So, seems like the NSA knew about this exploit since 2 years and said nothing to take advantage of it. :D

How nice!

Rainbow
New User
Posts: 5
Joined: Sun Aug 04, 2013 8:32 pm

RE: Please change your passwords; SSL vulnerability patched

#20

Post by Rainbow » Sat Apr 12, 2014 2:21 pm

Thanks for the heads up. I've been taking this OpenSSL thing with a grain of salt. More or less because simply changing my password will not work unless I know for sure it's been patched.

Quite honestly, this has been the only place to mention anything about it so far (at least where I have an account).
Last edited by Rainbow on Sat Apr 12, 2014 2:42 pm, edited 1 time in total.

Post Reply