|
|
|
|
|
|
|
|
|
|
|
|
|
willowing
Lorien
Apr 12 2014, 3:29am
Post #1 of 9
(269 views)
Shortcut
|
There is a bug called 'heartbleed' doing the rounds on the internet. A website I follow advised that they have fixed the issue on their site and found no evidence of mischief on followers accounts but to be extra careful and to reset a new password. Which I have done. Is there any updates from the moderators on TheOneRing.net has to security measures fans should be advised about.
|
|
|
Ataahua
Forum Admin
/ Moderator
Apr 12 2014, 4:11am
Post #2 of 9
(211 views)
Shortcut
|
Inferno or Altaira might be able to answer this for you.
[In reply to]
|
Can't Post
|
|
By the way I've moved your question to Feedback as this is the best place to ask about website matters.
Celebrimbor: "Pretty rings..." Dwarves: "Pretty rings..." Men: "Pretty rings..." Sauron: "Mine's better." "Ah, how ironic, the addictive qualities of Sauron’s master weapon led to its own destruction. Which just goes to show, kids - if you want two small and noble souls to succeed on a mission of dire importance... send an evil-minded beggar with them too." - Gandalf's Diaries, final par, by Ufthak. Ataahua's stories
|
|
|
Inferno
Superuser
/ Moderator
Apr 12 2014, 5:14am
Post #3 of 9
(231 views)
Shortcut
|
The tl;dr answer is: tOR.N isn't affected by Heartbleed. The long answer (trying to take the techy terms down to layman's levels as much as possible): Unlike most of the vulnerabilities you hear about online, heartbleed isn't a virus, trojan, or other form of malware. It's a bug in the code of a specific piece of software: OpenSSL. What openssl does is (roughly) handle encryption for websites (known as SSL encryption). This is great when you're doing banking, or using your credit card online, but not generally necessary for day-to-day browsing. OpenSSL is just one program that does this, although it's far and away the most common one. You can tell if a website is using SSL encryption (although not whether it's OpenSSL or not) by whether the site URL starts with http or https. The 's' means it's secure and using SSL. So only sites that use https protocol would be potentially susceptible. tOR.N doesn't (at least not in any of the sections of the site that we generally frequent). Since it's not using https, there're no openssl connections to be affected by heartbleed. For sites that do use https, there's a digital certificate associated with the site. You can view the certificate by (at least in Firefox-- IE or chrome will be similar but not entirely the same) right-clicking somewhere on the page, selecting view page info, selecting the security tab in the pop-up window, and clicking on view certificate. There will be a pair of dates along the lines of "issued on" and "expires on" or "not valid before" and "not valid after". If the certificate is older, (e.g. not issued in the past week or so), then you will want to check with the site admins to see if the site is vulnerable (not all servers were, it was only a few versions of OpenSSL that had the bug). If the cert hasn't been replace recently, then you won't want to change your password until either the admin confirms the site wasn't affected by the bug or until they issue a new cert, because you would just be exposing both old and new password potentially to anyone exploiting the bug. If the cert has been recently replaced, then it's a good idea to change your password, just to be sure. It's unknown if any sites were compromised, and it's better to be safe, than sorry. In general, it's a good idea to change your passwords semi-regularly (say, two to four times a year), particularly for sensitive accounts like banking ones. Something like tOR.N isn't as sensitive, and, while the web traffic isn't encrypted, the password database for the message boards (and presumably Barliman's, although I have no access to that, so I don't know for certain) is, and you would have to be hit with what's referred to as a 'man-in-the-middle attack' for someone to get your tOR.N account info while you were logging in-- essentially they would be pretending to be the tOR.N site and intercepting your traffic before it ever gets here. Not something someone would be likely to do to a site like ours. Personally, I have about a half-dozen 'throw-away' passwords that I use for various message boards and common sites where I don't particularly care if it's going to get hacked or not, and then the things I do care about (email, banking, tOR.N (since I have super user access here)), I use unique much more secure passwords and change them fairly regularly. The heartbleed bug was due to some code not being properly written and xkcd has a great write-up of how it works in practice in rather easy-to-understand language. http://www.xkcd.com/1354/ I spent a good chunk of my time at work this week identifying which servers we had that were vulnerable and fixing them. Fortunately, we only had a few that had the bug and none of them were exposed to the outside world, so it was an easy fix for me. =) Hope that's helpful! Inferno.
====================== Good night, tOR.Nados. Good work. Sleep well. I'll most likely delete you in the morning. ======================
(This post was edited by Inferno on Apr 12 2014, 5:15am)
|
|
|
Brethil
Half-elven
Apr 12 2014, 5:32am
Post #4 of 9
(213 views)
Shortcut
|
Have an idea relating to the world of JRR Tolkien that you would like to write about? If so, the Third TORn Amateur Symposium will be running in the Reading Room April, 2014. *The Call for Submissions is up*! **And Rem, you are doing that CoH chapter. Don't forget. **
|
|
|
willowing
Lorien
Apr 12 2014, 7:54am
Post #6 of 9
(194 views)
Shortcut
|
for simplifying the usage of language in this area. The explanation given in your post about the heartbleed. It has enlightened my lack of understanding about many tech terms and their purpose. As Brethil said earlier, great info.
|
|
|
entmaiden
Forum Admin
/ Moderator
Apr 12 2014, 12:25pm
Post #7 of 9
(177 views)
Shortcut
|
We also got confirmation from Corvar
[In reply to]
|
Can't Post
|
|
that TORn is not impacted. He basically gave the staff an explanation like Inferno's excellent analysis. Corvar runs the TORn server.
|
|
|
The Grey Elf
Grey Havens
Apr 12 2014, 12:27pm
Post #8 of 9
(200 views)
Shortcut
|
I've been wondering about this since news broke
[In reply to]
|
Can't Post
|
|
Thanks for bringing this to everyone's attention and to Inferno for his thorough explanation. Fingers crossed ....
You are what you read.
|
|
|
Meneldor
Valinor
Apr 13 2014, 2:53am
Post #9 of 9
(177 views)
Shortcut
|
In the immortal words of Jesse Ventura
[In reply to]
|
Can't Post
|
|
I ain't got time to bleed.
They that go down to the sea in ships, that do business in great waters; These see the works of the Lord, and His wonders in the deep.
|
|
|
|
|