cancel
Showing results for 
Search instead for 
Did you mean: 

LastPass Heartbleed checker

Infinity
Pro
Posts: 5,601
Thanks: 148
Fixes: 2
Registered: 19-06-2011

LastPass Heartbleed checker

LastPass Heartbleed checker
Tool reveals web services that may be vulnerable to security flaw
http://www.dailymail.co.uk/sciencetech/article-2600701/Are-YOUR-details-risk-heartbleed-hackers.html...
http://www.theguardian.com/technology/2014/apr/08/heartbleed-bug-puts-encryption-at-risk-for-hundred...
http://heartbleed.com/
https://lastpass.com/heartbleed/
Various Plusnet URL's show

Detected server software of Apache
That server is known to use OpenSSL and could have been vulnerable.
The SSL certificate for plusnet.com valid 2 years ago at Jul 9 12:21:33 2012 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.

I presume Plusnet techies are already checking out vulnerabilities ?
20 REPLIES
alanf
Aspiring Pro
Posts: 1,931
Thanks: 77
Fixes: 1
Registered: 17-10-2007

Heartbeat

"Heartbleed Bug: Public urged to reset all passwords "
http://www.bbc.co.uk/news/technology-26954540
"Heartbleed: don't rush to update passwords, security experts warn"
http://www.theguardian.com/technology/2014/apr/09/heartbleed-dont-rush-to-update-passwords-security-...
TORPC
Grafter
Posts: 5,163
Registered: 08-12-2013

Re: Heartbeat

Already noted in https://community.plus.net/forum/index.php/topic,125870.0.html
Quote from: Linn
We've just received a response from our suppliers and they've confirmed that our routers are not affected Smiley
Community Veteran
Posts: 18,545
Thanks: 191
Registered: 12-08-2007

Re: Heartbeat

Thanks for the info alanf. It's been featured on all news channels here in the US today.
Infinity
Pro
Posts: 5,601
Thanks: 148
Fixes: 2
Registered: 19-06-2011

Re: LastPass Heartbleed checker

Barbados too !!
TORPC
Grafter
Posts: 5,163
Registered: 08-12-2013

Re: LastPass Heartbleed checker

Can also check via
http://filippo.io/Heartbleed/
CX
Grafter
Posts: 745
Thanks: 2
Registered: 16-09-2010

Re: LastPass Heartbleed checker

RE the BBC News article today; is it really a good idea to suggest that people start changing passwords now, when you have no idea whether or not the server in question has been patched? Doesn't that just expose you to more risk now that the vulnerability is well publicized?
edit: Just saw the site checkers which actually test for presence of the heartbeat "feature".
aclow
Dabbler
Posts: 11
Registered: 05-08-2008

Re: LastPass Heartbleed checker

Qualys SSL labs have a very detailed SSL security analysis checker at
https://www.ssllabs.com/ssltest/index.html
I've tested  portal.plus.netwebmail.plus.net and  community.plus.net.
Neither is vulnerable to the heartbleed bug.
Both got a grade B for not supporting the latest TLS protocols, and it mentioned that they don't support Forward Secrecy (where session-specific rather than permanent private keys are used).
Older versions of OpenSSL didn't have the heartbeat malfeature, so aren't vulnerable.
updated:
Maybe plusnet were never vulnerable given that it seems like they're using older versions, but for example, soundcloud.com believed they were vulnerable and have an almost identical report.


General advice
Can I reirterate that logging in and changing your password on a site that is still vulnerable simply increases by one the number of occasions on which your password is visible whilst reducing your caution levels. Changing your password once the server is secure makes a lot of sense.
Using the same password on multiple sites is hazardous, especially if one is low-security (garden shed bulletin board) and the other is high-value (ecommerce, online banking).
Good passwords are non-obvious. You could take your favourite song, which is probably not "somewhere over the rainbow, way up high" and the fact that your Mum was born on the 2nd of some month, and turn that into psotrWuht216 - the p and the t because it's your PlusneT password, the 16 because p is the 16th letter of the alphabet, the sotrWuh from the song). My real passwords have much more variety in them than this, but it's an example.
Community Veteran
Posts: 6,586
Thanks: 206
Fixes: 14
Registered: 16-02-2009

Re: LastPass Heartbleed checker

Gawd you like complicated passwords  Cheesy What wrong with "letmein" & "hello"  Grin Grin
However I tend to use LastPass and let it generate a secure password & remember it - Which I think is much harder to do  Shocked
Community Veteran
Posts: 18,545
Thanks: 191
Registered: 12-08-2007

Re: LastPass Heartbleed checker

A Q&A from Associated Press on Heartbleed.
Q&A
aclow
Dabbler
Posts: 11
Registered: 05-08-2008

Re: LastPass Heartbleed checker

@Hairy McBiker Cheesy Grin
I've upgraded my password creation algorithm to v2.0 in response to this crisis, but considered services like lastpass for taking the effort out, but why don't I lazily ask you things I was planning on getting round to looking up:
1. Is there an android version?
2. What if I'm on a computer I've never used before, or a work computer where I don't have install privileges?
3. What if lastpass has a security issue? No-one knows any of my passwords, and I don't think you could deduce my system from examples.
4. I think if I did that, I'd still use different passwords for critical stuff like online banking and major ecommerce - I can't bring myself to put all my eggs in one basket.
aclow
Dabbler
Posts: 11
Registered: 05-08-2008

Re: LastPass Heartbleed checker

Oh - and the lastpass security checker is being vaguely threatening about websites that "might" be vulnerable, where more detailed checks tell you they aren't is nothing to do with generating custom, I'm sure! Wink
Joking aside, I'll go with the detailed analysis over just checking which brand of webserver they're running.
Infinity
Pro
Posts: 5,601
Thanks: 148
Fixes: 2
Registered: 19-06-2011

Re: LastPass Heartbleed checker

The NSA allegedly exploited the Heartbleed Bug for years
Given everything the NSA has been accused of over the last year or so, it's not surprising to learn that the agency may have used this exploit as well to gain access to internet users' private data.
http://www.techradar.com/news/internet/surprise-surprise-nsa-allegedly-knew-exploited-heartbleed-bug...

Heartbleed: 5 things you need to do right now
In Depth Simple steps to make sure your trip online doesn't turn into a nightmare
http://www.techradar.com/news/internet/web/heartbleed-5-things-you-need-to-do-right-now-1241369
Community Veteran
Posts: 18,545
Thanks: 191
Registered: 12-08-2007

Re: LastPass Heartbleed checker

If you are worried about websites there's a free add-on for Firefox here:
Firefox Add-on
TORPC
Grafter
Posts: 5,163
Registered: 08-12-2013

Re: LastPass Heartbleed checker

Cheers art Smiley