Second Life and HeartBleed

The media is trying for ratings. To get them, they over hype things. I am also convinced that journalist become journalist because they cannot do math or understand science, which to some degree means technology. So, they have little understanding of HeartBleed, what it does, how it does it, or what it means.

HeartBleed

HeartBleed

To put things in some perspective check out: Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed?

The quick explanation of HeartBleed is that it is an exploit run on SERVERS that use the OpenSSL code and only certain versions of it. Anti-virus and anti-malware software cannot fix or protect you from such a problem.

So, if someone is selling protection, they are selling into the hype-generated fear. They are opportunists, which is not necessarily a bad thing. But, if they are providing software for your computer they are only providing some people peace of mind. You can get peace of mind for free from understanding the reality.

Cloudflare’s explanation is what I’ll call medium level technical. It is readable and I think SL users will probably understand it. But, the TL;DR is:

The exploit in the server code will allow a hacker to trick the server into sending them the code they need to decrypt HTTPS encrypted network packets. When you browser talks to a bank or other server using OpenSSL the network packets traveling back and forth are encrypted. To date no one has been able to break that encryption. So, your conversation is secure. 

With HeartBlood a hacker can get the encryption key from the server and then decrypt your network communications. They can then read your password and view the pages the server sends back. Obviously, with the user ID and password they can do whatever they want with your account.

Thus comes the recommendation to change your password, which we should be doing every 6 months or more often anyway.

As more of this story is dug out we are finding that NSA became aware of the problem and was using the exploit. OK, that is sneaky and they are supposed to be sneaky. But, their primary purpose is protecting America. Not discretely dealing with the problem and having our financial institutions patch the exploit is a moral lapse in carrying out their duty. They seem to have lost their moral and ethical sense of a duty to the citizens of America. That is the problem with governments that claim they will take care of the people.

Linden Lab has explained how HeartBleed has affected SL users. See: Account Safety and the Heartbleed OpenSSL Bug. While I recommend you do change your password, keep the old one too. If you log into ADITI (preview/beta grid) you will need it, as the login servers on ADITI are not picking up password changes and continue to require the old password. At some point that problem will get fixed.

If you want to check a site you use to see if it is fixed, check out: ssllabs.com. They have a free testing tool running.

As to changing all your passwords… yeah, but… If the HeartBleed exploit is open when you change your password, you give the hacker the chance to get your password. Remember. They are getting your password from the network communication and/or possibly the server’s active memory. If you aren’t communicating, the password is not in active server memory or in the packets they can intercept.

They aren’t breaking in and taking data from the server’s database, just tricking it to send what is in active memory or incepting communications. The media has made it likely that more hackers are trying to exploit everyone’s rush to change passwords. So, you REALLY need to know if the site you use has fixed the problem before you change your password. Because, if they don’t already have your password – and it is a small possibility they do – not counting NSA, you may be giving them your new one.

Without information you are in a Catch-22.

For Second Life, I am guessing that Thursday’s 2:45 PM post suggests they will have new certificates in place by hopefully end of work Monday. I could be wrong. They may have already changed them or the rush for new certificates may slow things down. I doubt the later is likely as certificates are computer generated, its not like they stand in line at some government office. I am guessing weekend staff at the Lab will be working on certificate changes since we didn’t get word Friday that the certificates had been changed.

We’ll have to make a judgment call as to when to change our SL passwords. For your bank check their web site or call and ask.

Leave a Reply

Your email address will not be published. Required fields are marked *