Author Topic: when is Avast forums going to protect us from Heartbleed?  (Read 4193 times)

0 Members and 1 Guest are viewing this topic.

snadge

  • Guest
when is Avast forums going to protect us from Heartbleed?
« on: April 14, 2014, 09:27:21 PM »
according to LastPass.com your website is still affected and is advising I wait until you patch you servers before changing my password

thanks

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11811
    • AVAST Software
Re: when is Avast forums going to protect us from Heartbleed?
« Reply #1 on: April 14, 2014, 09:38:04 PM »
If you read the fine print at the lastpass site, you'll find out that their checker doesn't really check for the current state of the server, but rather shows a past state.
Our servers have already been updated.

snadge

  • Guest
Re: when is Avast forums going to protect us from Heartbleed?
« Reply #2 on: April 14, 2014, 09:45:35 PM »
If you read the fine print at the lastpass site, you'll find out that their checker doesn't really check for the current state of the server, but rather shows a past state.
Our servers have already been updated.

no fine print... i ran a security check



so just going off that....it would seem a bit odd to run off a once only test set? surely they keep checking?

maybe Avast should inform them?

I have checked at that filipo site and says all good :)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37182
Re: when is Avast forums going to protect us from Heartbleed?
« Reply #3 on: April 14, 2014, 09:53:42 PM »
And safe here  ;)     http://heartbleed.criticalwatch.com


Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31222
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: when is Avast forums going to protect us from Heartbleed?
« Reply #4 on: April 14, 2014, 10:01:52 PM »
You just haven't read the fineprint, but it sure is there right on the page.
Quote
LastPass' checker is different from other checkers -- LastPass is checking if you were at risk in the past...

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33590
  • malware fighter
Re: when is Avast forums going to protect us from Heartbleed?
« Reply #5 on: April 14, 2014, 11:31:21 PM »
Hi snadge,

Checking on other sites than your own or without written explicit permission/demand of the site-owner
could theoretically land you in jail under the terms of present US and UK law,
read: http://news.yahoo.com/trying-protect-yourself-heartbleed-could-land-jail-150922215.html

It sometimes is putting ethical pentesters and security researchers in rather difficult position.
What comes allowed as normal benevolent malware scanning and what is considered "rattling doors and windows" is not all that clear.
Even spreading info from what such "rattling" delivered in the forms of insecurities,
could be considered illegal under present day regulations.

A heartbleed vulnerability check could be just balancing on the border of what is allowed and what is not,
same with a dns check, a ssl health check etc. etc..
A dazzlepod IP check is frowned upon as the results cannot be brought up against a particular site (without prior written permission).

So who keeps bug information from us to secretly abuse exploits for several years goes scot-free under the present system,
while he who wants to check his private security might find himself in some legal predicament,
when this scanning is being brought up against him. Academically that is a very frustrating reality for security forces  :(

polonus
« Last Edit: April 14, 2014, 11:33:16 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

fssbob

  • Guest
Re: when is Avast forums going to protect us from Heartbleed?
« Reply #6 on: April 15, 2014, 01:07:36 AM »
Most of the Heartbleed checkers simply check whether the vulnerable sever has been patched, WHICH ISN'T ENOUGH. After the vulnerability has been patched, the site in question needs a new SSL certificate to truly be safe. (For brevity, I'll skip the details as to why--there are plenty of places you can read about this.) The LastPass checker is the only one I know of that checks for this. It's currently telling us that AVAST HAS NOT TAKEN THIS SECOND STEP YET. This is a critical issue that I believe Avast has yet to address (at least in its public statements).

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31222
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: when is Avast forums going to protect us from Heartbleed?
« Reply #7 on: April 15, 2014, 02:35:34 PM »
I agree that patching the servers is not enough.
Also the (home-)routers and modems need to be patched.
If you connect with a unpatched router to a patch server the certificate can still be retrieved.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33590
  • malware fighter
Re: when is Avast forums going to protect us from Heartbleed?
« Reply #8 on: April 15, 2014, 11:59:42 PM »
Hi Eddy,

It is known that avast used a 2007 chain certificate that never was insecure.
We certainly should be patient, because a repeated renewal may be needed within a month or two, before
"the dust of heartbleed aftermath has really settled" and subsequent abuse has ceased.
This meaning that after that period once again passwords has to be changed etc.
So the six step procedure to secure SSL vulnerabilities has to be repeated in due time.

Apart from the heartbleed situation there is an enormous amount of SSL-implementation insecurity around. Just visit a site with Recx Security Analyzer
and glance at a Netcraft report and you will see where best secure policies have not been followed. The intentional RSA downgrading is also still constantly backfiring. Avast is on RSA life  8). Then it is a given fact that https is often left out of scans (avast does not scan https sites and does not report certificate issues like Comodo does (as an issuer of course this behavior is obvious - it is their own shop idea). So just like CMS update scanning (Sucuri scans & Joomla scans for instance)  this is a field where a lot is happening but alas "too little and too late".

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31222
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: when is Avast forums going to protect us from Heartbleed?
« Reply #9 on: April 16, 2014, 12:08:59 AM »
What I mend to say is that patching servers is not enough.
Let's compare it with a car who has 4 flat tires.
The front ones are the server ones, the back ones are the (home) routers.
Replacing the front ones is only solving part of the problem.
The rear ones also need to be replaced.
Until ALL 4 tires are replaced/patched, the car isn't safe to drive.

Besides this all, this webboard is using http, not https.
« Last Edit: April 16, 2014, 12:13:59 AM by Eddy »

cavehomme2

  • Guest
Re: when is Avast forums going to protect us from Heartbleed?
« Reply #10 on: April 24, 2014, 04:18:17 PM »
I have noticed this warning on LastPass as well, the Avast cert needs to be updated otherwise it is not secure. Other sites are updating their certs, I am puzzled why Avast does not do it.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
Re: when is Avast forums going to protect us from Heartbleed?
« Reply #11 on: April 24, 2014, 04:30:45 PM »
I have noticed this warning on LastPass as well, the Avast cert needs to be updated otherwise it is not secure. Other sites are updating their certs, I am puzzled why Avast does not do it.
Check Igor's reply (the second post in the thread)