{{
`${userDetail.user.displayName}${userDetail.user.cachedBungieGlobalDisplayNameCode ? `#${standardizeBungieGlobalCode(userDetail.user.cachedBungieGlobalDisplayNameCode)}` : ""}`}}
{{getUserClans()}}
Edited by dazarobbo:
4/10/2014 6:17:16 AM
3
I know it's going to seem counter-intuitive, but the one thing you probably [i]shouldn't[/i] do right now is change your passwords for any of the affected sites you use. You should wait until you have confirmation from the affected site(s) that they have been updated and are safe to use. [i]Then[/i], change your password.
If you use any of the sites listed as vulnerable with SSL/TLS (https), but don't use anything particularly important (ie. anything that requires you to sign in or makes use of cookies for personalised interaction), feel free to keep using the sites. You won't be at any less risk than before. The same for any sites you use without SSL (ie. http only).
Edit: also, bungie.net won't be affected since it uses IIS which, AFAIK, uses a proprietary implementation of SSL.
English
-
correct me if i'm wrong but it's basically a simple buffer-overflow error that gives unrecorded full server access? if so seems like it would be a really simple to detect/fix issue... so why would it take 2 years to detect?
-
Theoretically it's possible to get access, but that's unlikely (eg. the web server is probably/hopefully run with a user account that has limited privileges). It probably hasn't been found simply because nobody has tried to exploit it. Or, if people have exploited it in the past, they just haven't disclosed it. From what I've read though, the OpenSSL source is an absolute mess, so finding bugs like this is probably like a needle in a stack (there's a joke here).
-
He rarely responds.
