Heartbleed - Open SSL vulnerability

The #1 community for Gun Owners of the Northeast

Member Benefits:

  • No ad networks!
  • Discuss all aspects of firearm ownership
  • Discuss anti-gun legislation
  • Buy, sell, and trade in the classified section
  • Chat with Local gun shops, ranges, trainers & other businesses
  • Discover free outdoor shooting areas
  • View up to date on firearm-related events
  • Share photos & video with other members
  • ...and so much more!

    • Register Log in
    elwojo

    elwojo

    File not found: M:/Liberty.exe
    Dec 23, 2012
    678
    Baltimore, Maryland
    I have always assumed everything on here was likely to be compromised due to a lack of an up-to-date security certificate (and not honestly because of malicious anti-gunners). I do not know how much of the traffic here is encrypted either - but given the state of an out-of-date certificate, my hopes are not riding too high.

    When testing for the vulnerability, the automated test I have used to verify other websites compliance draws a null on mdshooters.
     
    wrc

    wrc

    unexpected T_STRING in
    May 31, 2012
    333
    AACO
    Currently safe from "heartbleed"

    www.mdshooters.com does not respond to the vulnerable protocol component, so at this point in time it is not vulnerable. If this is because an in-line security device is mitigating the problem, it could have been vulnerable in the past.

    However, when you log into mdshooters.com, you are doing it over an unencrypted channel, so anyone able to see your network traffic can easily intercept your credentials.

    That's not great news, but it does mean that someone needs to capture your traffic -- they need to watch a network between MDS and your client. The "heartbleed" vulnerability would expose your credentials (randomly) to anyone anywhere who can talk to the vulnerable host.

    The takeaway here is absolutely do not use the password you use on here anywhere else, especially if you use things like "free wifi" without protection.
     
    letmeoutpax

    letmeoutpax

    Active Member
    Nov 12, 2013
    474
    St. Mary's
    Great info, thanks a lot. One more question: when some application or website asks to save a password or keep you logged in, does that create a vulnerability?
     
    Skins_Brew

    Skins_Brew

    loves the smell of cosmo
    Mar 4, 2009
    6,092
    moйтgomeяу сoцйту
    elwojo said:
    I have always assumed everything on here was likely to be compromised due to a lack of an up-to-date security certificate (and not honestly because of malicious anti-gunners). I do not know how much of the traffic here is encrypted either - but given the state of an out-of-date certificate, my hopes are not riding too high.

    When testing for the vulnerability, the automated test I have used to verify other websites compliance draws a null on mdshooters.
    Click to expand...

    The cert should be up to date, but even though it is expired, when you use the https site, your connection to the server is encrypted and secure.
     
    Skins_Brew

    Skins_Brew

    loves the smell of cosmo
    Mar 4, 2009
    6,092
    moйтgomeяу сoцйту
    wrc said:
    www.mdshooters.com does not respond to the vulnerable protocol component, so at this point in time it is not vulnerable. If this is because an in-line security device is mitigating the problem, it could have been vulnerable in the past.

    However, when you log into mdshooters.com, you are doing it over an unencrypted channel, so anyone able to see your network traffic can easily intercept your credentials.

    That's not great news, but it does mean that someone needs to capture your traffic -- they need to watch a network between MDS and your client. The "heartbleed" vulnerability would expose your credentials (randomly) to anyone anywhere who can talk to the vulnerable host.

    The takeaway here is absolutely do not use the password you use on here anywhere else, especially if you use things like "free wifi" without protection.
    Click to expand...

    I captured my login once and it seems like the browser hashes the password before it gets sent to the server.
     
    gmhowell

    gmhowell

    Not Banned Yet
    Nov 28, 2011
    3,406
    Monkey County
    Mooseman said:
    I am not a computer guy but I heard that the risk of Heartbleed is being blown out of proportion.
    Click to expand...


    Maybe. The trick is how long have the bad guys known? If this exploit has been out there for a while it's not good. If they didn't know until last week, it's better.

    The alarm bells are warranted. If there turns out to be no or few exploits, it is because the response has been so loud and fast. If people ignored it, many people would have many problems.


    Sent from my iPhone using Tapatalk
     
    wrc

    wrc

    unexpected T_STRING in
    May 31, 2012
    333
    AACO
    Skins_Brew said:
    I captured my login once and it seems like the browser hashes the password before it gets sent to the server.
    Click to expand...

    It does, using /clientscript/vbulletin_md5.js in the login process. You have to use an uncommonly long and complicated password or that's not much of a hurdle. If you stay logged in, your bbpassword cookie is useful to an attacker who wants to impersonate you on this site.
     
    Boondock Saint

    Boondock Saint

    Ultimate Member
    Dec 11, 2008
    24,514
    White Marsh
    The vulnerability explained by xkcd:
    heartbleed_explanation.png
     
    rambling_one

    rambling_one

    Ultimate Member
    MDS Supporter
    Oct 19, 2007
    6,762
    Bowie, MD
    I was able to change my MDS password using the home computer, but can't get the iPhone to remember it. Every time I log via the phone the old PW appears and I have to manually type over it. Any suggestions?
     
    rambling_one

    rambling_one

    Ultimate Member
    MDS Supporter
    Oct 19, 2007
    6,762
    Bowie, MD
    rambling_one said:
    I was able to change my MDS password using the home computer, but can't get the iPhone to remember it. Every time I log via the phone the old PW appears and I have to manually type over it. Any suggestions?
    Click to expand...

    Bump.

    Problem still unresolved. Perhaps my best best if to go back to Verizon and see if their "experts" can help me <g>.
     
    Minuteman

    Minuteman

    Member
    BANNED!!!
    Dec 13, 2009
    21,393
    Maryland, let's make it a better place.
    rambling_one said:
    Bump.

    Problem still unresolved. Perhaps my best best if to go back to Verizon and see if their "experts" can help me <g>.
    Click to expand...

    My apologies, I have not read this thread.

    My very simple advice, for what it's worth:

    Do not use Internet Explorer as your web browser until they get it fixed. Currently it is totally open to criminals....

    At this moment, I'm going to recommend Firefox. for now.

    Here's an old video that many will find informative and entertaining.

     
    You must log in or register to reply here.

    Users who are viewing this thread

    Total: 2 (members: 0, guests: 2)
    DK Firearms banner ad

    Latest posts

    Forum statistics

    Threads
    275,743
    Messages
    7,293,758
    Members
    33,507
    Latest member
    Davech1831

    Latest threads

    Top Bottom