These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
 

Heartbleed Open SSL Vulnerability - Information needed

First post
Author
Previous Topic Next Topic
Saint Michaels Soul
Stay Frosty.
A Band Apart.
#1 - 2014-04-09 15:51:18 UTC
There is a massive security flaw in Open SSL, announced offically yesterday, which means that "secure" websites (except those running MS IIS oddly) such as the eve forums and indeed the Eve Gate website can have all of their data read and intercepted, if they are using this software.

Can someone from CCP tell us:

1. Whether this has been patched yet (Please god say "yes")
2. Whether we should all update all of our account passwords (I suspect "yes") for every account

As a game constantly targeted by hackers and ddos attacks, it would be nice to have a reassuring announcement from the tech gerbils who manage the sites (and potentially the launcher), even if its to say "nothing to worry about, doesn't affect us"

Saint Mick.
Crasniya
The Aussienauts
#2 - 2014-04-09 15:53:15 UTC
As far as I know, CCP is actually pretty heavily reliant on Microsoft infrastructure. ASPX for the forums, MSSQL for the database, etc. The OpenSSL flaw affects Linux servers, so I doubt much of CCP's infrastructure is affected.

Soraya Xel - Council of Planetary Management 1 - soraya@biomassed.net
Enraku Reynolt
Of Tears and ISK
#3 - 2014-04-09 15:56:16 UTC
its things like this that make me wish they would give us an authenacation app, or maybe an option to get a text if your account is logged in from somewhere removed for your previous

just something to add an extra layer to the accounts
Velicitia
XS Tech
#4 - 2014-04-09 15:56:54 UTC  |  Edited by: Velicitia
Seeing as CCP is a MS shop all the way, it's a pretty good bet they're running MS IIS for the web servers too.

(also, asp pages).

edit - beaten to it Evil

One of the bitter points of a good bittervet is the realisation that all those SP don't really do much, and that the newbie is having much more fun with what little he has. - Tippia
Tippia
Sunshine and Lollipops
#5 - 2014-04-09 15:58:13 UTC
What we don't particularly need is a second thread on the topic…
Doc Fury
Furious Enterprises
#6 - 2014-04-09 15:59:22 UTC
I guess OP missed the other thread on this. You could always file a support ticket if you want an official answer.

FYI, openSSL is used in lots of things other than "linux servers".


Great day to be a SSL cert vendor.



There's a million angry citizens looking down their tubes..at me.
Lucas Kell
Solitude Trading
S.N.O.T.
#7 - 2014-04-09 16:15:10 UTC
Doc Fury wrote:
FYI, openSSL is used in lots of things other than "linux servers".
This.

And like others have said, CCP run on Microsoft servers which would only be vulnerable if you went out of your way to make it use OpenSSL, and would have considerably more problems than this one.

What you should take into account though is that other servers may be vulnerable, so if you use the same passwords anywhere else they could theoretically be captured if the site or service is vulnerable. And it's not just web servers either, it's pretty much anything that uses OpenSSL.

The Indecisive Noob - EVE fan blog.

Wholesale Trading - The new bulk trading mailing list.
Bienator II
madmen of the skies
#8 - 2014-04-09 16:15:12 UTC
i don't think ccp has a single linux server in their stack.

how to fix eve: 1) remove ECM 2) rename dampeners to ECM 3) add new anti-drone ewar for caldari 4) give offgrid boosters ongrid combat value
Ramona McCandless
Silent Vale
LinkNet
#9 - 2014-04-09 16:17:12 UTC
Thank the Gods Im just an algorythm

"Yea, some dude came in and was normal for first couple months, so I gave him director." - Sean Dunaway

"A singular character could be hired to penetrate another corps space... using gorilla like tactics..." - Chane Morgann
Mr Epeen
It's All About Me
#10 - 2014-04-09 16:35:26 UTC
By the time we proles find out anything it is already too late.

We are doomed people. Just kiss your ass goodbye.

Mr Epeen Cool
Serene Repose
#11 - 2014-04-09 18:08:25 UTC
bleeding heart liberals always worrying about how things feel...how's your computer feel? geez. grow a pair!

(This incendiary message has been brought to you as a public service by People Who Do Not Care, all rights reserved.)

We must accommodate the idiocracy.
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#12 - 2014-04-09 18:16:50 UTC
Should also be noted, It's not all linux servers either.

There are a great many servers running on the 0.9.8 branch of openssl, which are totally unaffected by this bug.

Until around 4 months ago, Centos 6 wasn't on the vulnerable version. (and if they upgraded, it may not have loaded the new library). 5 is still running on 0.9.8

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Doireen Kaundur
Doomheim
#13 - 2014-04-09 20:11:35 UTC
Saint Michaels Soul wrote:
(except those running MS IIS oddly)




Ironic, huh? Big smile

_[center]For your Freighter **sized shipping needs, contact _[u]Lord Chanlin[/u].** _ Fast, affordable, reliable service._

https://gate.eveonline.com/Profile/Lord%20Chanlin[/center]
ISD Ezwal
ISD Community Communications Liaisons
ISD Alliance
#14 - 2014-04-09 20:17:14 UTC
As there is already a thread on the same topic (including Dev answer), this one gets a lock.

The rules:
16. Redundant and re-posted threads will be locked.

As a courtesy to other forum users, please search to see if there is a thread already open on the topic you wish to discuss. If so, please place your comments there instead. Multiple threads on the same subject clutter up the forums needlessly, causing good feedback and ideas to be lost. Please keep discussions regarding a topic to a single thread.

ISD Ezwal Community Communication Liaisons (CCLs)