It is currently Mon Dec 09, 2019 2:12 am

All times are UTC




Post new topic Reply to topic  [ 14 posts ] 
Author Message
PostPosted: Tue Apr 08, 2014 7:05 pm 
Offline
Former MystOnline Moderator

Joined: Fri Nov 10, 2006 3:05 pm
Posts: 4203
Location: 56°2'26", -3°20'28"
Since I'd posted a download link previously for the openssl32 and libeay32 DLLs in this post: viewtopic.php?p=400713#p400713, and in light of the recently announced vulnerability in recent versions of OpenSSL (http://www.openssl.org/news/secadv_20140407.txt) I thought I ought to rebuild the DLLs from the new, fixed sources, for anyone that doesn't want to try building them themselves.

I've removed the old download link since those files may be unsecure and the new one is here: http://uru.mac-fife.me.uk/openssl-1.0.1g.zip

_________________
Image Mac - MOULagain KI#00004826 00004289
In the interests of the environment, this post has been constructed entirely from recycled electrons.


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 08, 2014 11:07 pm 
Offline
Obduction Backer

Joined: Wed Oct 14, 2009 4:14 pm
Posts: 1765
Who does this effect? Everyone playing URU Live? I'm confused, as usual... :oops:

_________________
Moul(A)II Charura KI#296707 Char Gearz KI#600002 Teri Dactyl KI#600568 Chickopee KI#601018 Cannon Belle KI#601422

_____________________________
How Many Times Does A Myst Player Play Myst Before A Myst Player Decides To Play Myst Again


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 09, 2014 12:43 am 
Offline

Joined: Mon Mar 15, 2010 2:36 am
Posts: 1303
Location: Back to the surface!
I would say it's a post aimed toward developers & coders more than the alpha explorers like us Charura.

Here's my rule of thumb: If you don't understand what a post is all about then it's not aimed toward you :lol: :wink: ("you" here is a general "you", it includes myself as well)

It might affect us in some way, logically, since we are using these DLL in our clients, at least the Skydiving Client, but I have no idea what should be done so I'll wait for posts from more savvy folks :)

_________________
Annabelle 47907 - New avatar


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 09, 2014 12:45 am 
Offline
Obduction Backer

Joined: Tue May 09, 2006 4:41 pm
Posts: 1709
Location: South Georgia
Uru is not vulnerable.

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 09, 2014 5:35 pm 
Offline
Former MystOnline Moderator

Joined: Fri Nov 10, 2006 3:05 pm
Posts: 4203
Location: 56°2'26", -3°20'28"
What Adam says.

I'd previously posted a set of these files as there was a little concern about the integrity of some of the versions available on DLL download sites - I built these DLLs myself from the original sources, so I could vouch for their authenticity. That was originally to help some people that were installing the Skydiver client and didn't have the DLLs to hand for one reason or another. However, in the context of the discussion about the download sites, I couldn't be sure if some people were maybe using my DLL set for other purposes (although I excluded the OpenSSL.exe file from the zip), so rather than risk continuing to propagate a potentially vulnerable file set, I pulled the original download and replaced it with an up-to-date set.

_________________
Image Mac - MOULagain KI#00004826 00004289
In the interests of the environment, this post has been constructed entirely from recycled electrons.


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 10, 2014 6:26 pm 
Offline

Joined: Tue Jan 11, 2011 9:26 pm
Posts: 2484
Location: Ontario, Canada
Here is a site where you can test weather or not a site has the bug:
http://filippo.io/Heartbleed/?_ga=1.207 ... 1384201823

It appears that most of the sites I use are currently unaffected. These include: Facebook, Google and Paypale. From what I've read anything that uses Microsoft's ISS is also safe, so Hotmail and Skype should also be safe.

Now keep in mind not to change any passwords until the site admin tells you 'its safe' and the bug has been fixed. If this does not happen you where probably safe all along.

_________________
-------------------
-Jamie Marchant
If I don't respond it's because email notification is down again and
I forgot to return to the thread.


Last edited by Jamie Marchant on Fri Apr 11, 2014 2:20 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 10, 2014 6:53 pm 
Offline
Obduction Backer

Joined: Thu Jun 08, 2006 7:01 pm
Posts: 1890
Google *was* affected but got patches out very quickly. I haven't seen them say to change your password, but I did it anyway.

Some parts of Amazon were affected. (Now patched.) Facebook says they solved the problem before it was reported but I don't believe them.

_________________
Andrew Plotkin -- Seltani founding member


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 10, 2014 7:16 pm 
Offline
Former MystOnline Moderator

Joined: Fri Nov 10, 2006 3:05 pm
Posts: 4203
Location: 56°2'26", -3°20'28"
Windows servers running IIS don't use OpenSSL for encryption so won't be affected by this precise vulnerability (they might have other, similar ones, but not this one). Even among Linux/Apache servers not all will be affected since it's only those using OpenSSL 1.0.1 up to and including 1.0.1f. I checked some hosting services that I know of and found that they actually used an older version, e.g. 0.9.8e, that isn't affected - it rather depends on when they built their Apache server and if it was before March 2012, when OpenSSL 1.0.1 was released, then it'll be OK (and that could be Facebook's "fix" :P).

Server admins will probably tell you a) if they were affected and you ought to change passwords and b) when to change it - as Jamie says there's little point in changing passwords until the server is fixed.

Further, it's only websites that use SSL/TLS (where the address begins with https: instead of just http:) that are involved, so most forums, etc., don't come into it: Your login is not encrypted anyway so there are no server keys to steal. The exception arises if you use the same login details as on a "secure" site that you know was affected, because then your credentials might have been captured from the "secure" site and could be used elsewhere. In that case you can go ahead and change passwords on the unsecure sites anytime you like.

Frankly, I think the problem is maybe a little over-hyped by the media, and the number of servers at risk isn't as great as they'd have us believe. There's no particular evidence I've seen to suggest that the exploit has actually been used (e.g. big lists of login details or server keys or faked security certificates for sale). In fact the media attention of the last couple of days has probably done more to elevate the risk, while admins try to get servers updated.

_________________
Image Mac - MOULagain KI#00004826 00004289
In the interests of the environment, this post has been constructed entirely from recycled electrons.


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 10, 2014 8:06 pm 
Offline

Joined: Tue Jan 11, 2011 9:26 pm
Posts: 2484
Location: Ontario, Canada
I agree with your last point Mac, the media seem to be overplaying things. Now on the topic of passwords it should be noted that any unencrypted data can be 'relativity' easily captured. For this reason I never use my 'secure site' password on unsecure sites. Also I have no clue why Google hasn't told us to change our passwords but I imagine they would if they felt it was nessisery.(maybe they want to make sure the problem is indeed solved before having everyone change them).

_________________
-------------------
-Jamie Marchant
If I don't respond it's because email notification is down again and
I forgot to return to the thread.


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 10, 2014 8:52 pm 
Offline
Obduction Backer

Joined: Thu Jun 08, 2006 7:01 pm
Posts: 1890
Quote:
I agree with your last point Mac, the media seem to be overplaying things.


Schneier says it's bad, and I trust him on this stuff.

I agree that this isn't a big deal for web forums. But if you buy stuff online, or bank online, or sign up for health insurance online, or use a Gmail address as the "forgot my password" email on any site -- then you're relying on somebody's HTTPS security. All of that is now potentially compromised until each site cleans itself up. I expect Google to be fast at that, but my bank? Who the heck knows.

EDIT-ADD: http://mashable.com/2014/04/09/heartble ... -affected/

_________________
Andrew Plotkin -- Seltani founding member


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 11, 2014 7:55 pm 
Offline
Former MystOnline Moderator

Joined: Fri Nov 10, 2006 3:05 pm
Posts: 4203
Location: 56°2'26", -3°20'28"
And for anyone interested in the geeky details of the bug, CloudFlare have posted a blog that makes quite good reading without being overly technical - http://blog.cloudflare.com/answering-th ... heartbleed - it also includes a challenge to try to extract private keys from a server they've deliberately left vulnerable.

_________________
Image Mac - MOULagain KI#00004826 00004289
In the interests of the environment, this post has been constructed entirely from recycled electrons.


Top
 Profile  
Reply with quote  
PostPosted: Sat Apr 12, 2014 3:32 pm 
Offline

Joined: Thu May 11, 2006 5:22 pm
Posts: 1814
Location: California
If you use a site using SSL, you can check to see if they have made the repair: https://www.ssllabs.com/ssltest/

I suspect they are just checking version numbers, but that should be good enough.

_________________
Nalates - GoC - 418 - MOULa I: Nal KI#00 083 543, MOULa II: KI#00 583 875Nalates 111451 - Second Life: Nalates Urriah
Guild of Cartographers Image


Top
 Profile  
Reply with quote  
PostPosted: Sat Apr 12, 2014 11:37 pm 
Offline

Joined: Sun Jan 01, 2012 8:42 pm
Posts: 36
Location: San Antonio, Texas
Intuit/TurboTax was affected. THATS a Big Deal. My bank said they fixed it last week nothing to worry about weasel word weasel word move along folks. Yeah, time to change passwords and pin there too.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 06, 2014 10:07 pm 
Offline
Former MystOnline Moderator

Joined: Fri Nov 10, 2006 3:05 pm
Posts: 4203
Location: 56°2'26", -3°20'28"
Some lesser vulnerabilities were found during the process of fixing the "Heartbleed" bug (https://www.openssl.org/news/secadv_20140605.txt), so there's been a further up-issue of OpenSSL.

I've rebuilt the DLLs again from the 1.0.1h sources and posted them here: http://uru.mac-fife.me.uk/openssl-1.0.1h.zip

As previously noted, Uru isn't really affected much by these issues, but if you're downloading the DLLs at all (e.g. for the skydiver client) then it makes sense to use the latest ones.

_________________
Image Mac - MOULagain KI#00004826 00004289
In the interests of the environment, this post has been constructed entirely from recycled electrons.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to: