Jump to content
Email-only Log-Ins Coming in December ×

IGNORED

Just an FYI


mjr45

Recommended Posts


I posted an FYI to the non-Z related off-topic forum. I would hope the mods know about it. Fortunately my logon to this site already used my lowest-security tier of password. There are a few other Heartbleed-vulnerable sites that use old passwords.

The danger to folks on this forum would be if the same password used on this site is also used for such things as your bank, email, or any resource you really don't want to get compromised. If hackers get your password here by exploiting the Heartbleed vulnerability, they can then potentially log on to any other account where you might use the same password. If you use the same password for your email, there's a lot of exposure to mischief, as password resets can be intercepted via your email, allowing the hackers to hijack almost anything of yours, especially those accounts that use your email address as a user ID.

Anyway, if you've done like I have and changed the passwords on all of your sensitive accounts, you can PROBABLY be safe continuing to interact on this site with your old, now-insecure password. At least that's how I understand it. I think you just have to assume hackers have your classiczcars login -- including hackers from the NSA, of course. (The NSA is believed by the IT community to have introduced the bug into the OpenSSL code 10 years ago, and it appears from server logs that they have been exploiting their bug the entire time. The hacker community only discovered the exploit about 6 months ago.)

Link to comment
Share on other sites

The danger is not in the site, but in the way it encrypts information (Open SSL)

There are a lot of websites that use that type of security measures, although most websites that are in charge of sensitive information (Email clients, Banking, etc.) use a different approach, and thus aren't in danger of being compromised.

I'm not a huge fan of Norton (I've been a Microsoft Certified Technician for almost 3 years) but the way it is telling you what sites are vulnerable is by checking what type of encryption methods the site uses. Most websites have updated their measures, but I can't speak in behalf of this one.

Link to comment
Share on other sites

Swede, I discovered the issue when I used this utility to test the site:

https://filippo.io/Heartbleed/

In the beginning this utility was actually able to exploit Heartbleed on the classiczcars.com site. (It tests by confirming the exploit works.) When I test now, I get a much less conclusive result. I don't know why or how, but until we hear the site has been fixed, I think it's best to assume it hasn't.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Privacy Policy and Guidelines. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.