Page 1 of 1
Heartbleed Do BBO users need to take any action?
#1
Posted 2014-April-15, 01:20
I have a question for BBO.
Are the passwords used to log in to BBO/BBO Forums potentially vulnerable to 'Heartbleed'?
Are the passwords used to log in to BBO/BBO Forums potentially vulnerable to 'Heartbleed'?
#2
Posted 2014-April-15, 15:05
the web pages we use for credit card entry use https and have been patched.
the various bbo clients don't use encryption in the first place.
the various bbo clients don't use encryption in the first place.
#3
Posted 2014-April-15, 16:00
That's....troubling, frankly. Login details at the very least should be encrypted.
#4
Posted 2014-April-15, 23:28
TylerE, on 2014-April-15, 16:00, said:
That's....troubling, frankly. Login details at the very least should be encrypted.
Agreed. When I log in to the web view I can see that username and password get sent in plain text as part of the form data of a request to http://webutil.bridg...m/v2/ud_api.php and to http://webutil.bridg...d_listmail.php. It appears that someone then hashes the password because the username and a large number instead is sent for the later request to http://webutil.bridg.../frontpage.php. Fortunately there is only small amounts of money associated with BBO accounts. The only query param in the URL is a cbust which is a random number (and likely is there to trick/force caches not to cache the pages). But as far as I can tell from the Chrome network the form data, including the password for the first two reuqests, is in plain text.
#5
Posted 2014-April-15, 23:49
TylerE, on 2014-April-15, 16:00, said:
That's....troubling, frankly. Login details at the very least should be encrypted.
No IT guy, me, but I had the impression that if the URL starts with "https://" then it is sent encrypted, but if it starts with "http://" then it is not. Heartbleed compromised the encryptions. A lot of sites (most of BBO included) use the basic "http://" URL. Maybe that it is an oversimplification?
Psych (pron. saik): A gross and deliberate misstatement of honour strength and/or suit length. Expressly permitted under Law 73E but forbidden contrary to that law by Acol club tourneys.
Psyche (pron. sahy-kee): The human soul, spirit or mind (derived, personification thereof, beloved of Eros, Greek myth).
Masterminding (pron. mstr-mnding) tr. v. - Any bid made by bridge player with which partner disagrees.
"Gentlemen, when the barrage lifts." 9th battalion, King's own Yorkshire light infantry,
2000 years earlier: "morituri te salutant"
"I will be with you, whatever". Blair to Bush, precursor to invasion of Iraq
Psyche (pron. sahy-kee): The human soul, spirit or mind (derived, personification thereof, beloved of Eros, Greek myth).
Masterminding (pron. mstr-mnding) tr. v. - Any bid made by bridge player with which partner disagrees.
"Gentlemen, when the barrage lifts." 9th battalion, King's own Yorkshire light infantry,
2000 years earlier: "morituri te salutant"
"I will be with you, whatever". Blair to Bush, precursor to invasion of Iraq
#6
Posted 2014-April-16, 16:53
uday, on 2014-April-15, 15:05, said:
the web pages we use for credit card entry use https and have been patched.
the various bbo clients don't use encryption in the first place.
the various bbo clients don't use encryption in the first place.
Thanks for the answer.
I guess I would agree with subsequent posters that the login should be secure. That said, access to the login would not seem to compromise anything but the username and password. If the login was secure, it potentially - and ironically - would have exposed whatever was in memory, as opposed to just being able to login (and change a password).
#7
Posted 2014-April-16, 17:01
1eyedjack, on 2014-April-15, 23:49, said:
No IT guy, me, but I had the impression that if the URL starts with "https://" then it is sent encrypted, but if it starts with "http://" then it is not. Heartbleed compromised the encryptions. A lot of sites (most of BBO included) use the basic "http://" URL. Maybe that it is an oversimplification?
Yes indeed, that's my concern. Doesn't BBO Forums use the same passwords as BBO? To log in to BBO Forums, the address shown on my browser is:
https://www.bridgeba...l§ion=login
#8
Posted 2014-April-17, 08:34
jallerton, on 2014-April-16, 17:01, said:
Yes indeed, that's my concern. Doesn't BBO Forums use the same passwords as BBO? To log in to BBO Forums, the address shown on my browser is:
https://www.bridgeba...l§ion=login
https://www.bridgeba...l§ion=login
The forum uses whatever password you want for it. There is no forced relationship between forum password and gaming password, however, both have to have the same username. It would not surprise me if a lot of people use the same password for both, but that is on them not the software.
--Ben--
Page 1 of 1