These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Issues, Workarounds & Localization

 
  • Topic is locked indefinitely.
 

Is eveonline.com vulnerable to the recently uncovered OpenSSL bug?

First post
Author
Judiciary Pag
Usually Harmless
Tin Can Alliance
#1 - 2014-04-08 12:20:07 UTC  |  Edited by: Judiciary Pag
Is it time to start changing our passwords and stuff? I just ran some PoC code for this bug on my own server and was trivially able to get random bits of cookie data (containing logins/sessionIds) and even bits of PHP code. The fact that I can't even see this in the logs means the fallout of this bug is going to be enormous /o\

On reddit there is a fascinating thread with people trying this on big, well-known websites (i.e. Yahoo mail), unwise as that seems, but they are able to actually get login data for users,
Herzog Wolfhammer
Sigma Special Tactics Group
#2 - 2014-04-08 23:42:42 UTC  |  Edited by: Herzog Wolfhammer
Bump.

This is HUGE.



Protect yourself from the heartbleed bug

I already tested a program freely available on the internet and ran it against a server I have control of to find it was vulnerable - so this is everywhere.


More information

Bring back DEEEEP Space!

Sum Olgy
Perkone
Caldari State
#3 - 2014-04-09 19:40:32 UTC
CCP - you need to answer this. It's either 'Yes - we've patched so you should change your passwords' or 'No - we weren't affected'.
CCP Eterne
C C P
C C P Alliance
#4 - 2014-04-09 20:13:20 UTC  |  Edited by: CCP Eterne
No, we were not affected. We do not use OpenSSL on our account services.

HOWEVER, store.eve.com (which is run by Musterbrand) was vulnerable (it has been patched), so if you used that at all, it is a good idea to change your passwords there. But nothing on the eveonline.com website itself, or for our game servers, was vulnerable.

EVE Online/DUST 514 Community Representative ※ EVE Illuminati ※ Fiction Adept

@CCP_Eterne ※ @EVE_LiveEvents

Padrone
Perkone
Caldari State
#5 - 2014-04-09 20:24:01 UTC  |  Edited by: Padrone
The IIS is faulty configured !
https://www.ssllabs.com/ssltest/analyze.html?d=secure.eveonline.com

- secure.eveonline.com still prefers older Cipher Suites , which are not using PFS by default !
- PFS is a must have for TLS1.2

Change your Cipher Suites to TLS_ECDHE_RSA / TLS_DHE_RSA_ which are the prefered ones for TLS1.2

Highest Encryption should be : TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

have a look at:
https://www.ssllabs.com/ssltest/analyze.html?d=posteo.de ( one of the securest Mail Provider in Europe ( Berlin ))
thx
Sum Olgy
Perkone
Caldari State
#6 - 2014-04-09 22:18:48 UTC
Thanks Big smile
Sentient Blade
Crisis Atmosphere
Coalition of the Unfortunate
#7 - 2014-04-09 23:13:53 UTC


Perfect forward secrecy is desirable, but not essential.
Steven Alfrir
Republic University
Minmatar Republic
#8 - 2014-04-09 23:53:05 UTC  |  Edited by: CCP Eterne
CCP Eterne wrote:
No, we were not affected. We do not use OpenSSL on our server or any of our account services.

HOWEVER, store.eve.com (which is run by Musterbrand) was vulnerable (it has been patched), so if you used that at all, it is a good idea to change your passwords there. But nothing on the eveonline.com website itself, or for our game servers, was vulnerable.


Good to hear that the eveonline.com is not affected but i changed my password since i logged into the Eve Online Store using the account i'm posting this with i changed it just to be safe and because i don;t want some thieve to go all steal all 49 ships i own plus all the ammo,hybreid charges and missiles used to keep my ships at top fighting condition.

I like crazy plans

Dun'Gal
Myriad Contractors Inc.
#9 - 2014-04-10 03:23:30 UTC  |  Edited by: Dun'Gal
Funny anecdote on this, my roommate was in doing his taxes today and the lady preparing them was convinced that the heartbleed bug was a biological illness and millions of people were dieing left and right. When he questioned her about it, not having heard about it yet himself, she said "duh it's called bleeding heart, so obviously there hearts are bleeding". Ah the uninformed.
Markku Laaksonen
EVE University
Ivy League
#10 - 2014-04-10 13:00:54 UTC
And if we use the "Login with your existing EVE Account" option to log into the store? Would we need to change our EVE account password?

(I am, as Dun'Gal mentioned, one of the uninformed. Or at least not very bright.)

DUST 514 Recruit Code - https://dust514.com/recruit/zluCyb/

EVE Buddy Invite - https://secure.eveonline.com/trial/?invc=047203f1-4124-42a1-b36f-39ca8ae5d6e2&action=buddy

Padrone
Perkone
Caldari State
#11 - 2014-04-12 09:25:50 UTC  |  Edited by: Padrone
Sentient Blade wrote:


Perfect forward secrecy is desirable, but not essential.


SSL/TLS is desirable, but not essential ^^

https://www.ssllabs.com/ssltest/analyze.html?d=forums.eveonline.com
-> all Session are encrypted with RC4, with no FS !
https://en.wikipedia.org/wiki/RC4

- in this way , your https Session is almost in Clear Text.



Fact is: use current techniques in accordance with the time.

Switching to TLS 1.2 is done in about 5 Minutes for a conscientious Admin .
PrettyMuch Always Right
Doomheim
#12 - 2014-04-13 00:53:53 UTC
I'm just gonna do nothing... if someone steals my ****, I'll either chalk it up to emergent gameplay or come here and make a long whining post before I quit.