|
Espen Harlinn wrote: If this is possible, it also means that the actual password, and not a
cryptographic digest, has been sendt to the server
The way I read it is that the key pair can be read and thus the pwd decrypted. So the pwd is stored in an encrypted form so it doesn't look as bad as you think.
At least that's my take, but I don't know jack about security stuff.
"The whole idea that carbon dioxide is the main cause of the recent global warming is based on a guess that was proved false by empirical evidence during the 1990s." climate-models-go-cold
|
|
|
|
|
Munchies_Matt wrote: so it doesn't look as bad as you think
Errhm ... hearbleed lets you read memory from the server:When it is exploited it leads to the leak of memory contents from the server
There shouldn't be any passwords to read from the memory on the server - only the cryptographic digest, which, on it's own should be worthless ...
|
|
|
|
|
Referring to a SoapBox thread I read today, if it ain't got to do with kernel, it is stupid.
|
|
|
|
|
Your link says as much "This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet"
It doesnt say stealing passwords, it says stealing the encryption keys, and thus decrypting the traffic and thus effecting a 'man in the middle' attack.
Espen Harlinn wrote: which, on it's own should be worthless
See 'man in the middle' attacks.
"The whole idea that carbon dioxide is the main cause of the recent global warming is based on a guess that was proved false by empirical evidence during the 1990s." climate-models-go-cold
|
|
|
|
|
Espen Harlinn wrote: There shouldn't be any passwords to read from the memory on the server - only the cryptographic digest, which, on it's own should be worthless ...
Hashed passwords (even salted) can be cracked much faster than you think in may cases because people are bad at generating randomness. As such by going through likely passwords it is possible to crack thousands of passwords in a few hours.
|
|
|
|
|
J. Adam Armstrong wrote: As such by going through likely passwords it is possible to crack thousands of passwords in a few hours.
That's certainly true.
|
|
|
|
|
Espen Harlinn wrote: There shouldn't be any passwords to read from the memory on the server
What happens when someone logs in? The password is sent to the server (over SSL) and so the server may have have it in a variable in memory for a period of time. How long the variable lives depends on the platform and scope (Allocated on the stack? Allocated on a memory managed heap? Static buffer constantly being overwritten?)
cheers
Chris Maunder
|
|
|
|
|
You mention several things that have been used to crack security in the past.
As usual xkcd got it right: Heartbleed Explanation[^]
What makes heartbleed unique is not the bug in itself, it's the number of systems that are affected.
We've seen bugs that allow server memory to be read before, and it's highly likely that we will see them again.
Now, lets head over to the wonderful world of automation where systems are, as a rule of thumb, never patched.
Many Devices Will Never Be Patched to Fix Heartbleed Bug[^]
|
|
|
|
|
I have had LinkedIn account for some time. I don't care too much about security issues anymore.
|
|
|
|
|
I guess you tried for a joke - and being perhaps a bit slow tonight, I'm having a bit of a struggle ...
|
|
|
|
|
The issue is that it is in the SSL protocol which is usually safe. Because of that passwords are not typically hashed in javascript on the client, but the hash is generated on the server. That's why the servers might have passwords in memory. The bigger issue is that someone might have gotten the server's private key and been able to decrypt all the traffic to the server.
|
|
|
|
|
|
It may be time to change to a new host.
It may be time to renew with my existing host.
If I change, I can save significantly. (75%)
If I stay, I will...
-- remain with a host with which I am familiar
-- pay about twice what I paid for the signup deal
-- pay about four times what the EL-Cheap-O places are offering
I changed to this host due to various reasons, and I'm glad I did.
I learned about lower costs, and I like them
Now their costs are going up as high as the previous host, which makes the advantage approximately gone.
So far, my website(s) have been super low traffic and almost zero upkeep.
Question One: What do the experts here think ?
Question Two: There are one zillion hosting companies; where do I read the opinions of those who use them ?
(preferably, those who are currently using multiple hosts for multiple sites)
Question Three: is there a better place than the lounge to have this discussion ?
----EDIT----UPDATE----
Responses have indicated that my original post lacked needed info.
I have...
About 50 domain names; maybe 75; haven't counted.
About 100 or 200 E-mail addresses; again, haven't counted. The vast majority (90% easily) of those are just E-mail forwarding addresses; I use them for spam paranoia.
As time progresses, I want to host two or three small focused forums.
These forums will grow to millions of users and make me rich without any work (oh yeah)
modified 17-Apr-14 8:13am.
|
|
|
|
|
000webhost by a mile.
I know some people are wary of free stuff, but I've been with them for years and they have excellent uptime, features, bandwidth, and hard-drive space for low traffic websites.
Only annoying things about them:
1. If your traffic is really, really, really low (like 1 hit per month), or you don't sign into their membership portal every few months or so, they may pop an advert (advertising themselves) on your pages, despite their no-ads policy. Nothin' a bit of my hackish JS couldn't fix though...
2. They don't support ASP.NET.
|
|
|
|
|
Is that 75% of "a lot of money" or 75% of "a little money"?
If it's the later, and you are happy with the service, then I wouldn't switch - "if it ain't broke" and all that.
If it's the former, then it's a good question, and here is as good a place as any.
How many hours of your time will you invest in moving, and how much is an hour of your time worth to you?
But personally, I can't be bothered with the free hosts, they are far too much trouble for the money you save.
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952)
Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
|
|
|
|
|
I'd agree with OG, saving a significant % of an insignificant amount is not worth changing. This can only be answered by you, 75% of $60 a year is not significant to some while it is a deal breaker for others.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
You can go to Web Hosting Talk[^] for some ideas...pretty overwhelming place though. Cool thing is a lot of ISP's go in there and offer deals.
I've been using cPanel plans at a couple of places for some years...I'm in Canada and want to keep my sites here if possible because the digital rights issues are getting kinda murky and I want to host in a place where my rights are predictable.
Having said that, places like Digital Ocean[^] in New York are mighty tempting...I'm ready to graduate from cPanel plans to VPS...might take some struggle at the beginning but it'd be nice to have some guaranteed resources.
|
|
|
|
|
C-P-User-3 wrote: my website(s) have been super low traffic
Bah. Save your time, money and aggravation. This internet thing is just a passing fad....
|
|
|
|
|
I have been with the same host for some 7 years who just so happen to have some rather awful write-ups out there.
However in those 7 years there have only been a handful of down half-days.
My attitude is "better the devil you know".
So if you can afford the cost I would recommend staying with them if they are reliable for you.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
I like Arvixe:
http://www.arvixe.com/[^]
I have my personal web site there. I moved a client's system to a sub-directory on my site so they could keep running while I updated their site (asp.net, SQL Server). The performance was so much better, they moved to Arvixe permanently. (Note: I do not work for Arvixe).
|
|
|
|
|
I agree. I have been hosting several sites with Arvixe for several years and I have no complaints. There are less expensive sites and have been tempted to give Mochahost a try for my new clients but so far, Arvixe has won my business. In the last case, the deciding factor was that they have a data center in Amsterdam and my newest client is in Europe... Mochahost is strictly US. Arvixe support is first rate, very responsive.
|
|
|
|
|
Hi C-P-User-3
I've been using ASPNIX [^] for the last 4 years and they are really good. Their support is very quick to help and they resolve any issues within minutes. I've also tried Arvixe which did not give the the support which I needed as quick as ASPNIX.
Email me if you are interested in moving.
Cheers
|
|
|
|
|
Hi C-P-User-3,
You don't mention what you require, php, asp.net, mvc or something else? Do you need a database back-end MSSQL or MySQL? Also how much space you need? Yes super cheap/free hosts are available but they have to cram 1000's of sites onto a server to make the figures stack up.
We use a Windows Web Hosting provider, which has it's servers in the UK, as we are also in the UK - Nutty About Hosting. They provide dedicated UK based developer support too. Pick a hosting provider in your country if that is where your audience is.
|
|
|
|
|
Good points, good observation. I have just edited the original post with an update.
|
|
|
|
|
I have used Servage.net[^] for almost 5 years. They have unlimited webspace and traffic.
|
|
|
|