Threads

See more results

Topics

Usernames

Mumsnet Logo
Please
or
to access all these features

Possible MN Heartbleed vulnerability
41

cozietoesie · 10/04/2014 10:17

Without wanting to start a scare where the reality of the problem might be limited, are MNHQ recommending a change of password to users given that Mumsnet looks at the moment to be one of the sites classified as vulnerable?

OP's posts:
Please
or
to access all these features

saintsalive · 10/04/2014 10:19

I would like to know this too please.

Please
or
to access all these features

meditrina · 10/04/2014 10:21

OP: have you got a good list of sites found to be vulnerable?

Does MN even have a SSL?

Please
or
to access all these features

cozietoesie · 10/04/2014 10:26

Yes - it looks to have an SSL.

\link{https://uk.news.yahoo.com/heartbleed-causes-massive-online-scare-don-t-change-071235068.html#UTTK6tI\Here's} an article on it. There's a list linked in towards the bottom of the article although you'll likely go goggle eyed trying to use it.

OP's posts:
Please
or
to access all these features

meditrina · 10/04/2014 10:30

Curses! I was looking at the GitHub list earlier, and had hoped you might have found something easier to read!

Please
or
to access all these features

cozietoesie · 10/04/2014 10:31

Sorry. Maybe give it a few hours for someone to play around with it.

OP's posts:
Please
or
to access all these features

RowanMumsnet · 10/04/2014 10:32

Hello - we do understand people's concerns about Heartbleed; we've asked Tech for their viewpoint and will post it up when we have it.

Please
or
to access all these features

cozietoesie · 10/04/2014 10:34

Thanks Rowan.

OP's posts:
Please
or
to access all these features

ShamTech · 10/04/2014 10:47

Hi all. Thanks for your concerns.

Firstly, we already applied the fix to our servers shortly after the news broke. You can check for yourselves at filippo.io/Heartbleed - just type mumsnet.com into the field and hit the button.

Secondly, due to the fact that user passwords on Mumsnet are not revealed, not even to the user of the account, there is no way for anyone who may have been able to masquerade as you using the Heartbleed bug, to find out what your password is. And because they need to know your password to change your password, they would also not have been able to lock you out of your own account.

We have no evidence whatsoever of anyone's account having been compromised at Mumsnet. From Tech's point of view, you should not need to change your password.

Please
or
to access all these features

cozietoesie · 10/04/2014 11:06

Fast action, Tech. Well done.

OP's posts:
Please
or
to access all these features

meditrina · 10/04/2014 21:14

(somewhat later on) - Thanks Tech! Wine

Please
or
to access all these features

meditrina · 11/04/2014 18:28

A bump, given what's just happened and some posters wondering if it could be Heartbleed.

Please
or
to access all these features

cozietoesie · 11/04/2014 18:50

I did wonder a little.

OP's posts:
Please
or
to access all these features

cozietoesie · 11/04/2014 19:00

Put it this way - I've changed my password.

OP's posts:
Please
or
to access all these features

Keepithidden · 11/04/2014 20:15

Shamtech, you said this "Secondly, due to the fact that user passwords on Mumsnet are not revealed, not even to the user of the account, there is no way for anyone who may have been able to masquerade as you using the Heartbleed bug, to find out what your password is. And because they need to know your password to change your password, they would also not have been able to lock you out of your own account."

This is completely untrue.

This shows you don't actually know how the heartbleed bug works. There could have been some real damage done here, but instead an obvious joke thread was posted which alerted the community that security has been compromised.

The way heartbleed works is by dumping random bits of the server's RAM. The site is patched now, but the way that Justine's password was got could be applied to any other user logging in at the same time.

Signed.

Someone in the know ;)

Please
or
to access all these features

slightlyglitterstained · 11/04/2014 21:02

This is a nice explanation
xkcd.com/1354/

Agree with Keepithidden.

Please
or
to access all these features

slightlyglitterstained · 11/04/2014 21:05

And sitting here on my phone, I notice my connection is http anyway!

Please
or
to access all these features

fuzzpig · 11/04/2014 21:15

Blimey I hadn't even heard about this <technophobe
As an aside should I be concerned about online banking Shock

Please
or
to access all these features

ImAThrillseekerHoney · 11/04/2014 21:15

So why has everyone suddenly been logged out?

Please
or
to access all these features

ouryve · 11/04/2014 21:46

Twice

Please
or
to access all these features

MargotLovedTom · 11/04/2014 21:49

I haven't got a clue what Heartbleed is but I was logged out about five minutes ago and have just had to log back in. Do I need to change my password?

Please
or
to access all these features

cozietoesie · 11/04/2014 22:05

It would do no harm to change it in any case, Margot, if the site is one that's had a fix put in.

OP's posts:
Please
or
to access all these features

ShamTech · 11/04/2014 23:49

Thanks to all for your patience and for bringing all this to our attention. As can be seen, we are as vulnerable as any other site using password logins. Despite our best efforts, somebody clearly took advantage of the published vulnerability before we applied the fix earlier this week. As Keepithidden points out the damage was thankfully minor. And whilst we do encrypt passwords on our side, if you do use the same password for other sites, it would be prudent for you to change your password.

In the next few days we will be posting some useful information for protecting yourself on the internet. Until then, thanks again for everyone's help in uncovering this and bearing with us. We'll keep doing our best to respond to these threats as quickly as we can.

Please
or
to access all these features

slightlyglitterstained · 12/04/2014 09:36

I use LastPass for a lot of passwords - it's a good way to manage your passwords, and it'll generate passwords for you for a new site and remember them for you, so there's no reason to reuse the same password for every site. (Reusing passwords is really not a good idea, it's like having the same key for your car, front door, work. Convenient, until someone nicks your handbag....)

It also lets you check what sites have been affected by Heartbleed so you can see what you need to change: blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html

Please
or
to access all these features

MargotLovedTom · 12/04/2014 10:51

Thanks cozietoesie

What if LastPass is hacked slightygliitterstained? Wink

Please
or
to access all these features

cozietoesie · 12/04/2014 11:08

It's the risk you take using the internet - most sites are no safer than the size of the Chief Software Director's vulnerabilities. You just have to stay vigilant and exercise common sense as you should in the physical world.

(And sites like LastPass are several steps up from using 'Password' or your dog's name and your birthday - and then putting them on a yellow post it note on the fridge!)

OP's posts:
Please
or
to access all these features
Please create an account

To comment on this thread you need to create a Mumsnet account.