cancel
Showing results for 
Search instead for 
Did you mean: 

OpenSSL bug (Heartbleed) on Plusnet routers

igoddard
Newbie
Posts: 1
Registered: ‎18-08-2013

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Quote from: wintonian

So why all this advice to change passwords if you can just buy, update or use an old router?  Huh

Because passwords could already have been leaked.
But it does make sense to do things in the right order:  fit the new bolt to the stable door before returning the horse!
RickK
Grafter
Posts: 60
Registered: ‎03-07-2013

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Right, the heartbleed bug was only recently discovered but due to the versions of OpenSSL having had this feature  for over 2 years, the possibility of someone knowing this exploit are slim but in this day in age you can't afford the risk.
So as a end user, you only have to worry about the websites you as a user use, sadly server admins have gotten of allot worse having to ensure their servers are patched and SSL certificates reissued if applicable.
Just like igoddard said;  fit the new bolt to the stable door before returning the horse!
So make sure the websites you use are patched before changing your passwords, and try to use something new.
Because the heartbleed only  made 64Kb visible it would require numerous attempts to extract user data and certificate information as it would all be mixed in together.
TLDR:
Check site, if ok? Change to a unique password
wintonian
Dabbler
Posts: 18
Registered: ‎25-04-2013

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Yes I know that, which is why I have not changed the Plusnet one yet.
But plusnet are telling me that the issuse is nothing to do with website and if there is a problem that it it my responsibility to fix.
They will not tell me if the member centre has been/ is vulnerable as it is nothing to do with that and they don't know what router I have.
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,916
Thanks: 5,021
Fixes: 316
Registered: ‎04-04-2007

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Quote from: wintonian
But plusnet are telling me that the issuse is nothing to do with website and if there is a problem that it it my responsibility to fix.

You shouldn't have been advised as such. Sorry.
Quote from: wintonian
They will not tell me if the member centre has been/ is vulnerable as it is nothing to do with that and they don't know what router I have.

None of our external web services (including the Member Centre and Webmail) are, or were, vulnerable.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Townman
Superuser
Superuser
Posts: 23,293
Thanks: 9,783
Fixes: 162
Registered: ‎22-08-2007

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Bob,
Given your two answers above, has the correct briefing / answers been sent out to all CS Agents yet?  If not, is there a plan to do so?  I suggest that the answers received by this user lack an understanding of the issue and the not unreasonable concerns of users.
Is there merit in placing (yet another) sticky at the top of the forum on this issue?
Cheers,
Kevin

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,916
Thanks: 5,021
Fixes: 316
Registered: ‎04-04-2007

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Quote from: Townman
... has the correct briefing / answers been sent out to all CS Agents yet?

Yes. I think there may have been some confusion though, caused by an earlier briefing that referred to the router we supply.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

wintonian
Dabbler
Posts: 18
Registered: ‎25-04-2013

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Thank for that,  I didn't think sp but wanted confirmation from the horses mouth so to speak,  rather than someone trying to be helpful on a forum.
The guy I spoke to read through an email he had received about the vulnerability and Thompson routers,  then when I mentioned the website and that I was not using a Plusnet router told me he couldn't advise as it was a non Plusnet router,  and despite my assertions about it beng server side insisted that all the OpenSSL stuff was done on the router andthus nothing to do with th ISP  if I did not have one of their routers.
Needless to say I was left rather confused!

Mind youshort statement from Plusnet stating what you just have above,  and pinned up for a couple of months  would have made life much easier.
IanDavies
Newbie
Posts: 1
Registered: ‎12-04-2014

Re: OpenSSL bug (Heartbleed) on Plusnet routers

I think Plusnet need to be much more pro-active informing their users on this issue.  It was only when I googled 'plusnet heartbleed' that I found this thread ... and then had to register on the forum to participate here!!  I'm sure that like me many plusnet customers simply have no need of forum membership until something really serious like this comes along.
Why is there nothing on the plusnet homepage itself or even a straightforward e-mail to all of us?Huh
Also, when I checked a couple of the web-sites promoted by the media  as a central reference of which sites are vulnerable to Heartbleed, plusnet is listed as 'potentially vulnerable'.
dragon2611
Grafter
Posts: 283
Registered: ‎20-10-2013

Re: OpenSSL bug (Heartbleed) on Plusnet routers

Quote from: wintonian
Yes I know that, which is why I have not changed the Plusnet one yet.

It's actually impossible to have a secure member centre password since it's the same one that's used for you to authenticate to get online, which means its either stored in plaintext on your router or even if it's encrypted on the router it would have to be then stored using an reversible encryption so the router can use it to login.
I'd like to see the PPP and member center passwords seperated at some point but not sure if that will ever happen  Cry
wintonian
Dabbler
Posts: 18
Registered: ‎25-04-2013

Re: OpenSSL bug (Heartbleed) on Plusnet routers

I agree silly idea using the same one.