Our Sponsor Sideshow Send us News
Lord of the Rings Tolkien
Search Tolkien
Lord of The RingsTheOneRing.net - Forged By And For Fans Of JRR Tolkien
Lord of The Rings Serving Middle-Earth Since The First Age

Lord of the Rings Movie News - J.R.R. Tolkien

  Main Index   Search Posts   Who's Online   Log in
The One Ring Forums: TheOneRing.net: Feedback:
Heartbleed

willowing
Lorien

Apr 12 2014, 3:29am

Post #1 of 9 (269 views)
Shortcut
Heartbleed Can't Post

There is a bug called 'heartbleed' doing the rounds on the internet.

A website I follow advised that they have fixed the issue on their site and found no evidence of mischief on followers accounts but to be extra careful and to reset a new password. Which I have done.

Is there any updates from the moderators on TheOneRing.net has to security measures fans should be advised about.


Ataahua
Forum Admin / Moderator


Apr 12 2014, 4:11am

Post #2 of 9 (211 views)
Shortcut
Inferno or Altaira might be able to answer this for you. [In reply to] Can't Post

By the way I've moved your question to Feedback as this is the best place to ask about website matters.

Celebrimbor: "Pretty rings..."
Dwarves: "Pretty rings..."
Men: "Pretty rings..."
Sauron: "Mine's better."

"Ah, how ironic, the addictive qualities of Sauron’s master weapon led to its own destruction. Which just goes to show, kids - if you want two small and noble souls to succeed on a mission of dire importance... send an evil-minded beggar with them too." - Gandalf's Diaries, final par, by Ufthak.


Ataahua's stories


Inferno
Superuser / Moderator


Apr 12 2014, 5:14am

Post #3 of 9 (231 views)
Shortcut
Not to worry [In reply to] Can't Post

The tl;dr answer is: tOR.N isn't affected by Heartbleed.

The long answer (trying to take the techy terms down to layman's levels as much as possible):

Unlike most of the vulnerabilities you hear about online, heartbleed isn't a virus, trojan, or other form of malware. It's a bug in the code of a specific piece of software: OpenSSL. What openssl does is (roughly) handle encryption for websites (known as SSL encryption). This is great when you're doing banking, or using your credit card online, but not generally necessary for day-to-day browsing. OpenSSL is just one program that does this, although it's far and away the most common one.

You can tell if a website is using SSL encryption (although not whether it's OpenSSL or not) by whether the site URL starts with http or https. The 's' means it's secure and using SSL. So only sites that use https protocol would be potentially susceptible. tOR.N doesn't (at least not in any of the sections of the site that we generally frequent). Since it's not using https, there're no openssl connections to be affected by heartbleed.

For sites that do use https, there's a digital certificate associated with the site. You can view the certificate by (at least in Firefox-- IE or chrome will be similar but not entirely the same) right-clicking somewhere on the page, selecting view page info, selecting the security tab in the pop-up window, and clicking on view certificate. There will be a pair of dates along the lines of "issued on" and "expires on" or "not valid before" and "not valid after". If the certificate is older, (e.g. not issued in the past week or so), then you will want to check with the site admins to see if the site is vulnerable (not all servers were, it was only a few versions of OpenSSL that had the bug). If the cert hasn't been replace recently, then you won't want to change your password until either the admin confirms the site wasn't affected by the bug or until they issue a new cert, because you would just be exposing both old and new password potentially to anyone exploiting the bug. If the cert has been recently replaced, then it's a good idea to change your password, just to be sure. It's unknown if any sites were compromised, and it's better to be safe, than sorry.

In general, it's a good idea to change your passwords semi-regularly (say, two to four times a year), particularly for sensitive accounts like banking ones. Something like tOR.N isn't as sensitive, and, while the web traffic isn't encrypted, the password database for the message boards (and presumably Barliman's, although I have no access to that, so I don't know for certain) is, and you would have to be hit with what's referred to as a 'man-in-the-middle attack' for someone to get your tOR.N account info while you were logging in-- essentially they would be pretending to be the tOR.N site and intercepting your traffic before it ever gets here. Not something someone would be likely to do to a site like ours. Personally, I have about a half-dozen 'throw-away' passwords that I use for various message boards and common sites where I don't particularly care if it's going to get hacked or not, and then the things I do care about (email, banking, tOR.N (since I have super user access here)), I use unique much more secure passwords and change them fairly regularly.

The heartbleed bug was due to some code not being properly written and xkcd has a great write-up of how it works in practice in rather easy-to-understand language. http://www.xkcd.com/1354/

I spent a good chunk of my time at work this week identifying which servers we had that were vulnerable and fixing them. Fortunately, we only had a few that had the bug and none of them were exposed to the outside world, so it was an easy fix for me. =)

Hope that's helpful!

Inferno.

======================
Good night, tOR.Nados. Good work. Sleep well. I'll most likely delete you in the morning.
======================


(This post was edited by Inferno on Apr 12 2014, 5:15am)


Brethil
Half-elven


Apr 12 2014, 5:32am

Post #4 of 9 (213 views)
Shortcut
Great info. Thank you. // [In reply to] Can't Post

 

Have an idea relating to the world of JRR Tolkien that you would like to write about? If so, the Third TORn Amateur Symposium will be running in the Reading Room April, 2014. *The Call for Submissions is up*!





**And Rem, you are doing that CoH chapter. Don't forget. **


willowing
Lorien

Apr 12 2014, 7:32am

Post #5 of 9 (192 views)
Shortcut
Thank you Ataahua [In reply to] Can't Post

 


willowing
Lorien

Apr 12 2014, 7:54am

Post #6 of 9 (194 views)
Shortcut
Thank you Inferno [In reply to] Can't Post

for simplifying the usage of language in this area. The explanation given in your post about the heartbleed. It has enlightened my lack of understanding about many tech terms and their purpose. As Brethil said earlier, great info.


entmaiden
Forum Admin / Moderator


Apr 12 2014, 12:25pm

Post #7 of 9 (177 views)
Shortcut
We also got confirmation from Corvar [In reply to] Can't Post

that TORn is not impacted. He basically gave the staff an explanation like Inferno's excellent analysis.

Corvar runs the TORn server.


The Grey Elf
Grey Havens


Apr 12 2014, 12:27pm

Post #8 of 9 (200 views)
Shortcut
I've been wondering about this since news broke [In reply to] Can't Post

Thanks for bringing this to everyone's attention and to Inferno for his thorough explanation.

Fingers crossed ....

You are what you read.


Meneldor
Valinor


Apr 13 2014, 2:53am

Post #9 of 9 (177 views)
Shortcut
In the immortal words of Jesse Ventura [In reply to] Can't Post

I ain't got time to bleed.


They that go down to the sea in ships, that do business in great waters; These see the works of the Lord, and His wonders in the deep.

 
 

Search for (options) Powered by Gossamer Forum v.1.2.3

home | advertising | contact us | back to top | search news | join list | Content Rating

This site is maintained and updated by fans of The Lord of the Rings, and is in no way affiliated with Tolkien Enterprises or the Tolkien Estate. We in no way claim the artwork displayed to be our own. Copyrights and trademarks for the books, films, articles, and other promotional materials are held by their respective owners and their use is allowed under the fair use clause of the Copyright Law. Design and original photography however are copyright © 1999-2012 TheOneRing.net. Binary hosting provided by Nexcess.net

Do not follow this link, or your host will be blocked from this site. This is a spider trap.