Heartbleed Bug

Heartbleed Bug

Postby xbonize » Sun Apr 13, 2014 3:25 am

Hello,

With news breaking on 7th April that the Heartbleed bug causes a vulnerability in the OpenSSL, I would like to know whether StickyAccount is vulnerable or not to the bug .

It would be appreciated if you could supply more details about this.
xbonize
New user
 
Posts: 44
Joined: Fri Jan 27, 2012 4:13 pm

Re: Heartbleed Bug

Postby pavelkrcma » Sun Apr 13, 2014 9:11 am

Hi,

all informations about Heartbleed bug is available here: http://blogen.stickypassword.com/sticky ... bleed-bug/

I hope it helps.
Pavel Krcma
pavelkrcma
Experienced user
 
Posts: 104
Joined: Tue Aug 20, 2013 12:56 pm

Re: Heartbleed Bug

Postby xbonize » Sun Apr 13, 2014 9:37 am

Your master password, logins, passwords, authentication and private data are safely encrypted in Sticky Password and therefore are not affected by heartbleed


Great!
xbonize
New user
 
Posts: 44
Joined: Fri Jan 27, 2012 4:13 pm

Re: Heartbleed Bug

Postby The Sand » Tue Apr 15, 2014 10:50 pm

To tell you the truth the Stickypass statement isn't clear...

"We have no indication of any impact on Sticky Password"

And you never will, because we all know the attack leaves no trace.

"Your master password, logins, passwords, authentication and private data are safely encrypted in Sticky Password and therefore are not affected by heartbleed."

For StickyPass 7 the master password would be the issue. (The standalone Desktop Stickypass does not apply because everything is localized to your hard drive.) It is the "sync" across devices that concerns me... The master password has to be authenticated with SickyPass. Even if that master password goes over hash (which is good, but not bullet proof if Heartbleed is involved.) The rest of the data is indeed protected by the Stickypass program.


"While StickyPassword.com was not affected, some of our servers were running the vulnerable version of OpenSSL and we immediately installed the patch."

So you were NOT using OpenSSL for https:stickypassword.com which is the site the master password authenticates with? If that is not the site the master authenticates with what is it? And was that server affected with Hearbleed.

Obviously you were running OpenSSL for other servers... and we have no idea what is on those servers or what they are used for.

Here is a list of companies and where they stand with this bug:

http://mashable.com/2014/04/09/heartble ... -main-link

As you can see the "money" websites were not compromised. Either were Microsoft, Apple or Amazon. Because nobody who takes care of anything relevant should EVER use open source code which is written for free and maintained by volunteers.

StickyPass isn't listed - but if you are running anything like Dashlane or LastPass a password change is what you should do especially if you ever use open wifi.

This is why:

"If an attacker was able to steal our server's private key using this method AND if he had control over your network, he could have executed a man-in-the-middle attack on our web interface. By "impersonating" our server, he could have delivered modified JavaScript code which submits your plaintext password instead of the one-way hash of your password in order to get access to your credentials. Although this could be a serious issue for an individual user under the specific circumstances mentioned before, it does not impose a security risk for all Boxcryptor users. Nevertheless, we recommend all users who used an untrusted network to create their account or to sign in via our web interface to change their password. Users who only utilized our client software or our web interface using trusted networks cannot be subject to this attack."

That is from Boxcryptor. At least they were thorough in their explanation. Here is a link to that statement:

https://www.boxcryptor.com/en/blog/how- ... boxcryptor

It appears Boxcryptor, Lastpass and Dashlane all "hash" the master password. Lastpass and Dashlane are saying that is good enough. Only Boxcryptor is advising that it isn't if you ever used a non protected network and many do just that while on their smartphone.

I run separate stand alone installs of StickyPass 6 for my computers and have been hesitant to upgrade to the "sync" in 7 due to security concerns. And Heartbleed shows me I was right to be concerned.

Right now I still don't know enough on where you stand with this... If you ever want me to upgrade to 7 I need to know more.

And btw you don't use https for the forum login which is stupid. You should change that because it looks bad.
The Sand
New user
 
Posts: 8
Joined: Thu Mar 28, 2013 10:05 pm

Re: Heartbleed Bug

Postby xbonize » Fri Apr 18, 2014 3:20 am

Dear SP Team,

is it true what @The Sand say about this security issue?
xbonize
New user
 
Posts: 44
Joined: Fri Jan 27, 2012 4:13 pm

Re: Heartbleed Bug

Postby pavelkrcma » Fri Apr 18, 2014 9:08 am

Hello,

I try to answer your questions. Let's start with the Master Password issue:

The Master Password, key to the database, is really never ever sent over net nor hash is. The reason is that the server don't need access to the database. The authentication of an installation (client) against StickyPassword backend is based on StickyID (your email) and StickyPass, which is different to your Master Password. Only encrypted database is sent over net so even if an attacker catchs the communication he can't access data inside the DB.

Which servers were affected and unaffected:

www.stickypassword.com: web site and user accounts - never vulnerable because we used the latest main release of OpenSSL which doesn't contain this bug. The bug was introduced in minor fix later.

backend services (SPCB): we use Amazon cloud services. Amazon applied patch immediately when the bug was released and we changed the private key to be sure.
Pavel Krcma
pavelkrcma
Experienced user
 
Posts: 104
Joined: Tue Aug 20, 2013 12:56 pm


Return to Sticky Password 7

Who is online

Users browsing this forum: No registered users and 1 guest

cron