Welcome to ECCIE, become a part of the fastest growing adult community. Take a minute & sign up!

Welcome to ECCIE - Sign up today!

Become a part of one of the fastest growing adult communities online. We have something for you, whether you’re a male member seeking out new friends or a new lady on the scene looking to take advantage of our many opportunities to network, make new friends, or connect with people. Join today & take part in lively discussions, take advantage of all the great features that attract hundreds of new daily members!

Go Premium

Go Back   ECCIE Worldwide > General Interest > Security Matters
test
Security Matters Personal security is of the utmost priority. Discussions regarding every aspect of personal security within the hobby can be found here.

Most Favorited Images
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
Most Liked Images
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
  • Thumb
Top Reviewers
cockalatte 649
MoneyManMatt 490
Still Looking 399
samcruz 399
Jon Bon 398
Harley Diablo 377
honest_abe 362
DFW_Ladies_Man 313
Chung Tran 288
lupegarland 287
nicemusic 285
Starscream66 282
You&Me 281
George Spelvin 270
sharkman29 256
Top Posters
DallasRain70819
biomed163676
Yssup Rider61253
gman4453351
LexusLover51038
offshoredrilling48812
WTF48267
pyramider46370
bambino43221
The_Waco_Kid37406
CryptKicker37231
Mokoa36497
Chung Tran36100
Still Looking35944
Mojojo33117

Reply
 
Thread Tools
Old 04-10-2014, 09:00 PM   #1
joyote
Premium Access
 
joyote's Avatar
 
Join Date: Apr 8, 2012
Location: New Mexico
Posts: 2,084
Encounters: 88
Default Heartbleed bug

Have the necessary patches been installed to protect ECCIE and users of ECCIE.net from this widespread security flaw?
joyote is offline   Quote
Old 04-10-2014, 10:19 PM   #2
LNK
Valued Poster
 
LNK's Avatar
 
Join Date: Mar 12, 2013
Location: Eastern NE
Posts: 1,555
Encounters: 28
Default

http://eccie.net/showthread.php?t=1030605
LNK is offline   Quote
Old 04-10-2014, 10:56 PM   #3
Guest043014
Account Disabled
 
Join Date: Feb 7, 2014
Location: Albuquerque
Posts: 96
Encounters: 1
Default

I heard these sites were effected by the bug and you should change your passwords if you have an account.

Google, YouTube and Gmail, Facebook, Yahoo, Yahoo Mail, Tumblr, Flickr, OKCupid Wikipedia.

I have a hobby email account with Gmail, so I will go ahead and change the password for it.
Guest043014 is offline   Quote
Old 04-10-2014, 11:07 PM   #4
Mokoa
The Mod In Black®
 
Mokoa's Avatar
 
Join Date: Nov 22, 2009
Location: San Antonio
Posts: 36,497
Encounters: 4
Default

You may want to wait until the affected sites for which you have an account have addressed the issue. Changing your password before the issue is taken care of will only expose your new password the same way the previous password was exposed.
Mokoa is offline   Quote
Old 04-10-2014, 11:29 PM   #5
laserface
Premium Access
 
laserface's Avatar
 
Join Date: Dec 30, 2009
Location: Pittsburgh, PA
Posts: 1,662
Encounters: 36
Default

Quote:
Originally Posted by joyote View Post
Have the necessary patches been installed to protect ECCIE and users of ECCIE.net from this widespread security flaw?
ECCIE doesn't use SSL at all, so it was never vulnerable to this particular flaw.
laserface is offline   Quote
Old 04-11-2014, 06:39 AM   #6
joyote
Premium Access
 
joyote's Avatar
 
Join Date: Apr 8, 2012
Location: New Mexico
Posts: 2,084
Encounters: 88
Default

Quote:
Originally Posted by laserface View Post
ECCIE doesn't use SSL at all, so it was never vulnerable to this particular flaw.
That's good to hear, but how do you know this?


It would be nice if ECCIE would put ou an official statement on this issue,
joyote is offline   Quote
Old 04-11-2014, 09:06 AM   #7
ilikeitlikethat
Valued Poster
 
Join Date: Jan 23, 2013
Location: denver
Posts: 204
Encounters: 24
Default

It would be nice if Eccie did put out a statement on this subject. P411 did.
ilikeitlikethat is offline   Quote
Old 04-11-2014, 12:50 PM   #8
laserface
Premium Access
 
laserface's Avatar
 
Join Date: Dec 30, 2009
Location: Pittsburgh, PA
Posts: 1,662
Encounters: 36
Default

Quote:
Originally Posted by joyote View Post
That's good to hear, but how do you know this?


It would be nice if ECCIE would put ou an official statement on this issue,
The short answer is - about 20 years of experience with web servers and SSL.

The longer answer is - anyone with knowledge of what SSL is and how it works can confirm this for themselves by watching their network traffic while browsing ECCIE (particularly when logging in) using something like the Developer Tools panel in Internet Explorer, Firebug in Firefox, or the Chrome Developer Tools in Chrome. Or just by looking at the page source for the various pages on ECCIE and seeing that "https:" is never used anywhere, other than for third-party ads (and these third-party servers, not operated or managed by ECCIE, wouldn't have access to things like your ECCIE credentials).
laserface is offline   Quote
Old 04-11-2014, 06:17 PM   #9
Easyeddie
Lifetime Premium Access
 
Join Date: Nov 15, 2012
Location: Houston
Posts: 105
Encounters: 25
Default

So to put it another way

OpenSSL: false sense of security

No SSL: no security at all...

so if you're worried about whether ECCIE was affected...... well, that's the last thing to worry about...

Quote:
Originally Posted by laserface View Post
The short answer is - about 20 years of experience with web servers and SSL.

The longer answer is - anyone with knowledge of what SSL is and how it works can confirm this for themselves by watching their network traffic while browsing ECCIE (particularly when logging in) using something like the Developer Tools panel in Internet Explorer, Firebug in Firefox, or the Chrome Developer Tools in Chrome. Or just by looking at the page source for the various pages on ECCIE and seeing that "https:" is never used anywhere, other than for third-party ads (and these third-party servers, not operated or managed by ECCIE, wouldn't have access to things like your ECCIE credentials).
Easyeddie is offline   Quote
Old 04-11-2014, 07:23 PM   #10
jframe2
Valued Poster
 
jframe2's Avatar
 
Join Date: Aug 5, 2010
Location: World Citizen
Posts: 886
Default

The public knowledge of Heartbleed is months and months behind the Industry responses and the responses by users of OpenSSL.

It was hoped that the whole thing was to be kept under wraps by all parties concerned. How the problem got into the public media is going to be pretty interesting, if you are in the industry.

Change your passwords and move on with your life.
jframe2 is offline   Quote
Old 04-11-2014, 11:18 PM   #11
laserface
Premium Access
 
laserface's Avatar
 
Join Date: Dec 30, 2009
Location: Pittsburgh, PA
Posts: 1,662
Encounters: 36
Default

Quote:
Originally Posted by Easyeddie View Post
So to put it another way

OpenSSL: false sense of security

No SSL: no security at all...

so if you're worried about whether ECCIE was affected...... well, that's the last thing to worry about...
I wouldn't say that. "SSL" does not mean "security", nor does "no SSL" mean "no security". Keep in mind, what SSL does is that it stops (or at least makes it impractical to accomplish) information you send to/from a server from being observed or otherwise messed with by a third-party. (It does some other things too, but there's no need to get into that level of detail here.) Without SSL, the information you send and receive could be observed or changed while it's being sent across the network. However, to be able to do that, the bad guy needs to be in a "privileged position" on the network. The next-door neighbor who's snooping the packets on your wireless network and has somehow cracked your encryption key (you're still using WEP? Really? ). The guy at the table next to you who's snooping the packets on the wireless network while you're surfing the Internet on your laptop at your local coffee shop (where the wireless network probably uses no encryption at all). The technicians at your ISP - or, in fact, at any other network service provider that the data has to pass through to get where it's going. Your employer, if you're surfing the Internet via your employer's network. The FBI, if they've got a CALEA-authorized tap to monitor your network activity at your ISP (or at the server's ISP). The NSA, since they monitor everything, everywhere.... The point is, someone's got to somehow got to get a foothold in the actual network infrastructure in order to steal your information.

By contrast, while the Heartbleed vulnerability does not allow an attacker to modify your network traffic, it has the potential to expose your information to ... anyone, anywhere... The best explanation I've seen so far about how the vulnerability works is:

http://xkcd.com/1354

In terms of how bad this vulnerability is, I've heard one information security researcher describe it as, "On a scale of 1 to 10, this is an 11."

While it would be ideal if ECCIE would use SSL, I can imagine some reasons why it might be difficult to implement (such as, having to provide positive ID and such to an SSL certificate authority...), and I'm sufficiently comfortable with the fact that they don't (though if ECCIE eventually did offer access to the site via https:, using a self-signed certificate or something, I'd certainly use it just to get the data encrypted in transit). If it is a concern to you, you can take some steps to significantly mitigate it. Use a different password on ECCIE than you use for anything else, and change it regularly. Don't browse ECCIE from public networks (like the local library, the nearby coffee shop with free WiFi, etc.), or from work. Make sure your home WiFi network uses strong encryption (WPA/WPA2). Some simple, common sense precautions should eliminate most of your concerns.
laserface is offline   Quote
Old 04-11-2014, 11:29 PM   #12
LNK
Valued Poster
 
LNK's Avatar
 
Join Date: Mar 12, 2013
Location: Eastern NE
Posts: 1,555
Encounters: 28
Default

xkcd is the shit.

Thank you for your post, laserface.
LNK is offline   Quote
Old 04-12-2014, 09:35 AM   #13
Easyeddie
Lifetime Premium Access
 
Join Date: Nov 15, 2012
Location: Houston
Posts: 105
Encounters: 25
Default

Sigh. Yes. It was an oversimplification.

SSL or not, yes, someone has to be in a position to sniff your network data.

The point is Heartbleed is irrelevant to Eccie, not because it used a non OpenSSL protocol, but because it doesn't use SSL at all. Your data to/from eccie is being transmitted in clear text already.
Easyeddie is offline   Quote
Reply



AMPReviews.net
Find Ladies
Hot Women

Powered by vBulletin®
Copyright © 2009 - 2016, ECCIE Worldwide, All Rights Reserved