Please change your passwords; SSL vulnerability patched
- infurnus
- Retired Staff / Community Team Member
- Posts: 601
- Joined: Tue May 29, 2012 9:40 pm
- Location: Dusty SEGA Tapes
- Clan: Unidoom
- Clan Tag: UD
- Contact:
Please change your passwords; SSL vulnerability patched
Forums are temporarily closed while we sort out some security issues
The issue is described here: http://heartbleed.com
I strongly advise any system administrators that use OpenSSL to look into this as well
EDIT: Aaand we're back.
You are strongly advised to change your passwords. While there is no known leak of anyone's Zandronum.com passwords, I can't prove that every password is perfectly safe, so it's better to just change your passwords and avoid any paranoia. On the forums, you should manually log out and log back in to reset your session.
For the forums, you can change your password here if you are logged in:
https://zandronum.com/forum/usercp.php?action=password
You may also request a forum password reset at this page if you are unable to log in:
https://zandronum.com/forum/member.php?action=lostpw
To reset your Tracker password, go here:
https://zandronum.com/tracker/lost_pwd_page.php
To reset your Wiki password, go here:
https://wiki.zandronum.com/Special:PasswordReset
On IRC, you may use the command: /nickserv help set password
Change any non Zandronum.com passwords as well, for added security.
If you require any assistance in resetting your passwords, please contact admin@zandronum.com
The issue is described here: http://heartbleed.com
I strongly advise any system administrators that use OpenSSL to look into this as well
EDIT: Aaand we're back.
You are strongly advised to change your passwords. While there is no known leak of anyone's Zandronum.com passwords, I can't prove that every password is perfectly safe, so it's better to just change your passwords and avoid any paranoia. On the forums, you should manually log out and log back in to reset your session.
For the forums, you can change your password here if you are logged in:
https://zandronum.com/forum/usercp.php?action=password
You may also request a forum password reset at this page if you are unable to log in:
https://zandronum.com/forum/member.php?action=lostpw
To reset your Tracker password, go here:
https://zandronum.com/tracker/lost_pwd_page.php
To reset your Wiki password, go here:
https://wiki.zandronum.com/Special:PasswordReset
On IRC, you may use the command: /nickserv help set password
Change any non Zandronum.com passwords as well, for added security.
If you require any assistance in resetting your passwords, please contact admin@zandronum.com
Last edited by infurnus on Fri Apr 11, 2014 6:00 pm, edited 1 time in total.
- Slim
- Zandrone
- Posts: 1112
- Joined: Sat Mar 16, 2013 7:11 am
- Location: Zero Space
- Clan: Can't fit it in here
- Clan Tag: -=FSR=-
- Contact:
RE: Forums are temporarily closed
Spoiler: Generic Response from the uneducated (Open)No not really, prolly just a check in security, sometimes paranoia gets the best of us.
RE: Please change your password; SSL vulnerability patched
Whether someone exploited this on Zandronum before it was patched we have no way to tell. This is a grave-serious global scale security vulnerability affecting 500 000 web servers, Zandronum being one of them. Anyone's password could've been leaked to anyone, on any web service using OpenSSL. So it's recommended to change your passwords everywhere, not just here. I also recommend logging out and back in to invalidate your session ID which could've also been leaked.
EDIT:
EDIT:
<@Konar6> make sure to change your password AFTER the service provider updated their OpenSSL...
<@Konar6> if there's a way to know...
Last edited by Dusk on Wed Apr 09, 2014 8:10 pm, edited 1 time in total.
- StrikerMan780
- Forum Regular
- Posts: 279
- Joined: Tue May 29, 2012 9:16 pm
- Clan: Shadow Mavericks
- Clan Tag: [SM]
RE: Please change your passwords; SSL vulnerability patched
Thanks for letting us know. This announcement just helped me patch the vulnerability on my own webserver, so thanks for that too.
RE: Please change your passwords; SSL vulnerability patched
I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.
Last edited by Zalewa on Thu Apr 10, 2014 5:31 am, edited 1 time in total.
Doomseeker - a real answer to cross-platform server browser.
Doomseeker dev builds - unofficial Doomseeker builds for Windows.
Gamer's Proxy - a program to emulate ping and packet losses.
Doomseeker dev builds - unofficial Doomseeker builds for Windows.
Gamer's Proxy - a program to emulate ping and packet losses.
-
- Posts: 40
- Joined: Mon Jun 04, 2012 6:55 am
- Location: Georgia, US
- Clan: Moonlight Killers
- Clan Tag: [MLK]
- Contact:
RE: Please change your passwords; SSL vulnerability patched
Password was changed, and I appreciate the notice. Four other sites I visit rather frequently also were impacted by this, so I took the warning and editted the passwords on both.
Also, it would appear Tumblr was one of the ones impacted, too. It's a headline post if you have an account on there, urging those to change their password.
Also, it would appear Tumblr was one of the ones impacted, too. It's a headline post if you have an account on there, urging those to change their password.
RE: Please change your passwords; SSL vulnerability patched
I believe this originates from the website using a self-signed certificate in past, generating ugly errors in browsers ("connection to this website is untrusted, get me out of here!"), which was scaring off users whenever they clicked a link to https.Zalewa wrote: I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.
Though it seems that the website is now using a certificate signed by authority (this is news), so Zalewa has a valid point. Technically it would be possible to force https by default.
Ijon Tichy wrote:I like how your first responses to concerns being raised was to start insulting people, accusing random people on the Internet of being Shadowfox, and digging up irrelevant shit from the past. It really inspires confidence in me that you guys are level-headed and rational folks.
<BlueCool> you guys IQ is the same as my IP, Dynamic
-
- Retired Staff / Community Team Member
- Posts: 577
- Joined: Fri May 25, 2012 1:18 am
- Location: Canada
RE: Please change your passwords; SSL vulnerability patched
This "heartbleed bug" was the same thing that effected the Canada Revenue site. It's very worrisome as that's a website that holds a lot of information on all Canadian tax payers. It might be a good idea to change all passwords on the websites you're frequently on.
<EazyDI>harrased me
<EazyDI>and called me a dinner
<EazyDI>n*****
<EazyDI>lmao not dinner
<EazyDI>and called me a dinner
<EazyDI>n*****
<EazyDI>lmao not dinner
- Dark-Assassin
- Maintenence Crew
- Posts: 968
- Joined: Fri May 25, 2012 4:25 am
RE: Please change your passwords; SSL vulnerability patched
Could this bug be a part of how the Skulltag forums got hacked? Or was that just a PHP/PHPBB bug?
- infurnus
- Retired Staff / Community Team Member
- Posts: 601
- Joined: Tue May 29, 2012 9:40 pm
- Location: Dusty SEGA Tapes
- Clan: Unidoom
- Clan Tag: UD
- Contact:
RE: Please change your passwords; SSL vulnerability patched
There's a workaround that's rolling out for this:Zalewa wrote: I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.
https://www.eff.org/https-everywhere
-
- Retired Staff / Community Team Member
- Posts: 577
- Joined: Fri May 25, 2012 1:18 am
- Location: Canada
RE: Please change your passwords; SSL vulnerability patched
That was exploits/security holes in the PHPBB software.Dark-Assassin wrote: Could this bug be a part of how the Skulltag forums got hacked? Or was that just a PHP/PHPBB bug?
<EazyDI>harrased me
<EazyDI>and called me a dinner
<EazyDI>n*****
<EazyDI>lmao not dinner
<EazyDI>and called me a dinner
<EazyDI>n*****
<EazyDI>lmao not dinner
RE: Please change your passwords; SSL vulnerability patched
+ Rivecoder
Ijon Tichy wrote:I like how your first responses to concerns being raised was to start insulting people, accusing random people on the Internet of being Shadowfox, and digging up irrelevant shit from the past. It really inspires confidence in me that you guys are level-headed and rational folks.
<BlueCool> you guys IQ is the same as my IP, Dynamic
RE: Please change your passwords; SSL vulnerability patched
I don't understand what this post has to do with anything. Of course you could have your information stolen by connecting to random WiFi networks, that's how it has always worked.Zalewa wrote: I find it somewhat amusing that you're talking about security vulnerabilities, and yet every single of this URLs is plain text and will expose your password to the administrator of your work network, or to anyone who's connected to the same unprotected Wi-Fi that you're connected to, or to President Obama. Forums and tracker seem to have HTTPS enabled, although not certified, but it's still better than plain text.
There is a difference between someone stealing your information due to your own negligence, and someone stealing thousands of logins from major websites, banks, etc.
This is probably the biggest security leak in the last few years, as anything and everything can be exposed by openssl: plaintext passwords, hashed passwords, SSL certificates, session IDs, etc.
RE: Please change your passwords; SSL vulnerability patched
I actually think that it's very important to include information on how to be as secure as possible if you're sending a scary email to everyone saying that their passwords might've been compromised. While heartbleed is serious, and I'm sure that people have managed to exploit it to gain unauthorized access to private information, I can't shake off the feeling how similar is this situation to whatever is the popular global epidemic of the year. I'm actually more concerned about password leakage due to people using not secure connections.Jenova wrote:I don't understand what this post has to do with anything. Of course you could have your information stolen by connecting to random WiFi networks, that's how it has always worked.Zalewa wrote: I find it somewhat amusing that (...)
There is a difference between someone stealing your information due to your own negligence, and someone stealing thousands of logins from major websites, banks, etc.
This is probably the biggest security leak in the last few years, as anything and everything can be exposed by openssl: plaintext passwords, hashed passwords, SSL certificates, session IDs, etc.
Zandronum has SSL enabled, and it seems that our certificate is signed, so each link in the email and in this thread should be https, not http. If you can't provide https, you should explain to the users when it's safe and when it's not safe to use http. In fact, I believe you should do both of these regardless of the situation.
Last edited by Zalewa on Fri Apr 11, 2014 7:11 am, edited 1 time in total.
Doomseeker - a real answer to cross-platform server browser.
Doomseeker dev builds - unofficial Doomseeker builds for Windows.
Gamer's Proxy - a program to emulate ping and packet losses.
Doomseeker dev builds - unofficial Doomseeker builds for Windows.
Gamer's Proxy - a program to emulate ping and packet losses.
- infurnus
- Retired Staff / Community Team Member
- Posts: 601
- Joined: Tue May 29, 2012 9:40 pm
- Location: Dusty SEGA Tapes
- Clan: Unidoom
- Clan Tag: UD
- Contact:
RE: Please change your passwords; SSL vulnerability patched
For that one it's user error; when fetching the links from my browser's URL bar it had http results instead of the https that I use normally (I am working on fixing this on my end).Zalewa wrote: Zandronum has SSL enabled, and it seems that our certificate is signed, so each link in the email and in this thread should be https, not http. If you can't provide https, you should explain to the users when it's safe and when it's not safe to use http. In fact, I believe you should do both of these regardless of the situation.
As for the rest, I have been trying to figure out why the email system sends http instead of https links (like in the new PM or thread reply emails), I'll talk to Blzut about it.
-
- Posts: 19
- Joined: Fri Apr 11, 2014 6:48 am
- Location: The tubes. That's where the country has supposedly gone down to.
RE: Please change your passwords; SSL vulnerability patched
Just a question...
Why would some go through lengths to register a domain and make a website as well as a logo just for a
COMPUTER BUG?
It seems like this is some hoax or advertising scheme. Since there's no evidence of it being used, and there's so much attention around it.
Why would some go through lengths to register a domain and make a website as well as a logo just for a
COMPUTER BUG?
It seems like this is some hoax or advertising scheme. Since there's no evidence of it being used, and there's so much attention around it.
I've had enough of the news. They're nothing but opportunistic, sensationalist, scandalous and controversial fakes. This is their latest piece on how golf causes mass acts of violence:
[spoiler]
[spoiler]
Yes I am aware that that's a paddle and not a golf club. Sue me.
[/spoiler]
- ibm5155
- Addicted to Zandronum
- Posts: 1641
- Joined: Tue Jun 05, 2012 9:32 pm
- Location: Somewhere, over the rainbow
RE: Please change your passwords; SSL vulnerability patched
Too lazzy to change the boontuoteg password
Projects
Cursed Maze: DONE, V2.0
Zombie Horde - ZM09 map update: [3/15/13]
Need help with English? Then you've come to the right place!
<this post is proof of "Decline">
Cursed Maze: DONE, V2.0
Zombie Horde - ZM09 map update: [3/15/13]
Need help with English? Then you've come to the right place!
<this post is proof of "Decline">
RE: Please change your passwords; SSL vulnerability patched
I have not seen this flourish in the newspapers, even though it would be a 100% front page article. I dunno, but it seems a bit wierd to me too.
RE: Please change your passwords; SSL vulnerability patched
So, seems like the NSA knew about this exploit since 2 years and said nothing to take advantage of it. :D
How nice!
How nice!
RE: Please change your passwords; SSL vulnerability patched
Thanks for the heads up. I've been taking this OpenSSL thing with a grain of salt. More or less because simply changing my password will not work unless I know for sure it's been patched.
Quite honestly, this has been the only place to mention anything about it so far (at least where I have an account).
Quite honestly, this has been the only place to mention anything about it so far (at least where I have an account).
Last edited by Rainbow on Sat Apr 12, 2014 2:42 pm, edited 1 time in total.