Reply
Treasure Hunter
Registered: 11/20/2006
Offline
4392 posts
 

Re: HeartBleed Passwords at risk?

Apr 11, 2014

kratos1984 wrote:

I think we're safe cause I found this article: http://qz.com/197258/how-to-tell-if-heartbleed-could-have-stolen-your-password-and-when-its-safe-to-...

 

I found playstation.com on the list and it says 'no ssl", I'm not an expert but it sounds like if a site doesn't have ssl it's safe or it it the total opposite?


That list is not entirely accurate.

 

Take Netflix for example.  The list states that Netflix has no SSL so it is not vulnerable.

 

The main page has no SSL as it is only http://

However, the login page uses https://  meaning it could very well be using SSL, but as the main domain name is not https:// it would have been miss read by this scan.


 Also this list is far from official.  It was done by a single guy who is an independent programmer.  It is not from any reputable security firm.

 

 


 


 


 


Be One With The Game.

Message 11 of 16 (521 Views)
Reply
0 Likes
Treasure Hunter
Registered: 04/05/2009
Offline
8191 posts
 

Re: HeartBleed Passwords at risk?

Apr 11, 2014

Qualys SSL Labs (a major organization for the implementation of SSL/TLS) has released an SSL checker that simulates a browser logging into the forums and also simulates the Heartbleed attack.

 

The login page for the forums gets a pass on the Heartbleed attack. And so does the forums itself.

 

https://www.ssllabs.com/ssltest/analyze.html?d=account.sonyentertainmentnetwork.com

https://www.ssllabs.com/ssltest/analyze.html?d=community.us.playstation.com

 

 

Message 12 of 16 (511 Views)
Reply
0 Likes
Treasure Hunter
Registered: 11/20/2006
Offline
4392 posts
 

Re: HeartBleed Passwords at risk?

Apr 11, 2014

But does the PSN Store?

 

More importantly, does what ever specific web service the PS3/PS4 logs into?  We don't even know what the URL is for that one.

 

 

 


 


 


 


Be One With The Game.

Message 13 of 16 (484 Views)
Reply
0 Likes
First Son
Registered: 05/20/2009
Offline
3 posts
 

Re: HeartBleed Passwords at risk?

Apr 11, 2014

Here is a tweet from the European Community leader.

 

The European and American forum use lithium.

Envisager twitter.png

There could be a small risk that someone did some hacking before it was patched so you may want to change your password anyway..

Message 14 of 16 (460 Views)
Reply
0 Likes
Treasure Hunter
Registered: 11/20/2006
Offline
4392 posts
 

Re: HeartBleed Passwords at risk?

Apr 11, 2014

It does very little good to change the forum password if the web service the PS3/PS4 goes through has not been patched.  They both use the same password.

 

 


 


 


 


Be One With The Game.

Message 15 of 16 (439 Views)
Reply
0 Likes
Highlighted
First Son
Registered: 11/29/2008
Offline
2 posts
 

Re: HeartBleed Passwords at risk?

Apr 14, 2014

It not only needs to be patched, but Sony needs to generate a new encryption certificate to make sure any potential past vulnerability is nullified.

 

If Sony is vulnerable to this issue, only when they've both patched the software and generated a new encryption certificate is it safe to change your password.  Lastpass indicates the forums are potentially vulnerable and the SSL certificate is two years old, not a good sign.

 

Sony should at the very least make an official statement addressing this issue to tell us whether they're vulnerable or not.

Message 16 of 16 (239 Views)
Reply
0 Likes