Hello,

This announcement is somewhat technical, but very important, so please take a moment to read it.

In the last few days, there has been a whole lot of talk about a vulnerability in OpenSSL known as Heartbleed. This vulnerability affected an enourmous chunk of the internet, including Mycena Cave. This really is a “the sky is falling” event happening to the Internet right now.

tl;dr: in a few days, change all of your passwords you have ever used on the internet. You should use a unique password for every website. For a slightly longer tl;dr, skip to the last section of this post, “What can you do about it?”.

You have surely noticed that some websites have “http” in the url bar, where others have “https”. The difference is that https connections are encrypted. The basic problem with http is that it’s a cleartext protocol. This means that anything you submit or receive over an http connection can be intercepted by malicious people on the internet, and even modified in transit. Attacks such as these are fairly simple for even computer novices to carry out. This is why SSL exists: in a nutshell, it encrypts your connection, making it safe from eavesdropping and alterations. Any website that handles secure information (banks, shopping, amazon, email, really any site that accepts a password) should be using SSL and have their URLs start with https.

There are a few implementations of SSL out there, and OpenSSL is by far the most popular. Heartbleed is a bug in OpenSSL that allows an attacker to retrieve data from memory in any website running up-to-date versions of OpenSSL. Encryption keys are stored in memory which means that, in a nutshell, a determined attacker would be able to steal the encryption keys and certificates from vulnerable systems. With these keys, they would essentially be able to treat a “https” connection as a “http” connection, eavesdropping on any data and modifying things in transit. This includes anything from your online banking password to your instant messages. To reiterate, Mycena Cave along with the majority of the Internet was vulnerable to Heartbleed. Needless to say, this is Very Bad.

The vulnerability was introduced in December 2011, which means that a good chunk of all SSL has been crackable for almost two and a half years. Performing the attack leaves no traces on the target system, which means that nobody knows if anybody has been exploiting it. This is pretty much a case of “oops apparently the gate was unlocked for two and a half years but nobody noticed”.

One of the scary things about Heartbleed is there’s no way to tell if a server has been attacked. However, likely targets would have been banks, large shopping sites, etc, not small petsites such as this one. As for your data, when you purchase gems or customs, your credit card information is never sent to Mycena Cave — this means that Mycena Cave’s vulnerability to Heartbleed could not have resulted in the theft of your credit card information. While we handle your passwords in pretty much the safest way possible, an attacker with our SSL keys eavesdropping on your connection while you are logging in would acquire your passwords before they even reach our servers.

The first thing websites need to do is patch their implementation of OpenSSL. This protects us from being attacked through the Heartbleed bug. Whether or not a website is currently vulnerable to the Heartbleed bug can be verified here: here.
[Mycena Cave finished this process early this morning]

Unfortunately, it doesn’t stop there: if a website has been exploited sometime in the last two years, attackers would have its encryption keys. This means that any website using the same certificates as it was before it patched OpenSSL is still open to attackers who have already stolen their keys. Basically you can think of Heartbleed as leaving your housekey lying around — even if you start keeping careful track of it, if someone already made a copy you aren’t safe until you change your locks. As such, websites must generate new SSL keys and certificates and revoke the old ones.
[Mycena Cave finished this process today at 13:30 server time]

As a precaution, after updating our certificates we cleared all sessions — which means if you were in the middle of a game of cave in or something, it’s going to lose your score :[ sorry about that.

The short answer is to change every password you have ever used on the Internet. But don’t rush to do it immediately. Changing your password on an affected site before it has patched the vulnerability and gotten new SSL certificates accomplishes little beyond potentially supplying your new password to attackers. Since sites will tend not to tell you when or if they generate new certificates, you should use a unique password for every website. Any compromised website that has not generated new certificates potentially leaks your password every time you log in.
[Mycena Cave has patched the vulnerability and generated new SSL keys, so you are safe to change your password here. Please do so ASAP]

Thanks for reading. Stay safe on Internet.

I had never heard of this before, thanks a bunch for the concise explanation! Luckily, I don’t have much information up online that would matter if anyone got a hold of. I’ll be making sure to alter passwords once sites have been confirmed as safe, however.
And you guys are undeniably the best, I’m amazed at how quickly you moved to protect the site. <3

Thanks for the very important information and writing it in a way that the average user can understand.
I’ll have to get my mom to change her passwords

Many many thanks you to for posting such an informative yet still easy to understand description of what’s going on. 

Thanks for the update!

I’ve already explained this to a couple people, but nothing as comprehensive as this.
You wouldn’t mind if I use this guide to spread the word as long as I site MC, correct?
Thanks for being so vigilant as always, glitch.

“Performing the attack leaves no traces on the target system, which means that nobody knows if anybody has been exploiting it.”
“The short answer is to change every password you have ever used on the Internet. But don’t rush to do it immediately.”

This is the first time I’ve ever heard of this “Heartbleed” issue. While I have the mentality of “I’m one person out of billions, what’s the chances of [password theft] ever happening to me”... anything like this could happen to anyone. Now I’m going to be paranoid about logging into my bank account online. I just made a purchase on my credit card online a few hours ago!

My questions are
1) If it’s been known to exist since late 2011… would most major websites (you mention banks, shopping, amazon, email) have patched their SLL by now?
2) When would you suggest password change? If not now… are you saying a week? A month? I’m guessing the major ones (seen above) should be taken care of first… but when?

I think I’ll have to do a little reading on this topic then… :/
When something like a [major virus] shows up, I’m extremely paranoid about visiting sites talking about that issue. As someone with a genuine anxiety with viruses and glitches, I don’t know what websites are safe to browse.

You know I hadn’t turned on the news today yet when that announcement popped up (See that! I come here first!) and I was all like “... Heartbleed Vulnerability?  OMG what’s that that sounds so COOL!!” thinking it was a new game or an upcoming event or something xD

Btw you’re missing an N there glitch in Vulerability in the title :p

Tsar Nicky the news today had a very good suggestion. They said not to run and change all your passwords unless/until the sites specifically state that they have patched the issue, just because they may still be working on a fix and you might have to change your password again once it is. If the site doesn’t say anything contact the admin/tech support for the site just like Chimerical says.

My mother recently had her debit card information stolen (thankfully the bank caught it and didn’t let any of the charges through) and I’m half wondering if it’s because of this. She’s normally really careful with stuff like that otherwise. I admit it made me dash over to my online account to make sure everything was okay, haha, it was ;w;

But thanks for getting everything patched up on this end, glitch. Even though Mycena is a smaller site, it’s nice to know everything here is ‘safe’. :]

Chimerical
Thanks for clearing that up! As someone who hadn’t heard of it until now, I was a bit uncertain. Nothing has shown up in my e-mail from the websites I use. A while back, didn’t Kickstarter have an issue with leaked passwords? They sent out a mass e-mail about the issue and that it’d be wise to change your information. I would hopefully assume other websites would be doing the same about this issue as they’re able to fix it.

Hina
Hopefully those websites will make an announcement! Crossing my fingers!

Thanks for the announcement. I’ve been trying to deal with banking information and such regarding it. Unfortunately they’ve been terribly unhelpful and I’ve actually been told that I’m just letting the media scare me. *rage desk flip*

If possible, contact tech support rather than customer service. *grump*

Akira, Jingles: you’re welcome to use this, and no need to cite us — you’ll find basically the same info on most sites talking about it. As usual, Bruce Schneier has an excellent short and sweet writeup. Another good article is this one.

Tsar Nicky: While the vulnerability has existed since December 2011, it was only discovered by the “good guys” on Monday, which is when the patch was released. Hopefully the big players will all have sorted things out by now. Smaller sites may take longer, if they do it at all. As for when to change your passwords, as Chimerical said the correct time to do it is after the site has dealt with the issue. For banks and the like, such it was probably Monday night. For us that was today. For other small sites… maybe later, if ever? A good idea if you’re worried is to change it now, and then change it again later, and just always keep an eye on your account. This goes doubly so for your credit card statements, unless you can categorically say “I have not entered any bank / credit card information into the internet since December 2011”.

Chimerical: It’s not the size of the organization that defines whether it was affected, it’s the software they were running. Microsoft was not affected because they, for the most part, run windows and OpenSSL does not run on Windows (the vast majority of the Internet does not run Windows). I actually got the chance to speak with the person that NYT/cnet were interviewing today (it was awesome >u>), and one of the things we chatted about was Heartbleed — his team did the check, and something like 70% of the Alexa top 1,000,000 websites were vulnerable. Long story short, being at the top does not save you.

Kiwi: keep keeping an eye on it.

Tsar Nicky: a lot of websites end up leaking passwords at some point or another. However, this is almost always due to bad handling of passwords. LinkedIn, for example, stored the passwords in cleartext O_O. Adobe “encrypted” them (whatever that means — turns out they were not difficult to crack). Pretty much everyone who’s been around a while does something stupid with passwords, especially if they existed before good standards were created.

Insigne: consider changing banks >_>. In all seriousness, that kind of cavalier attitude towards your data is disturbing. Here’s a good litmus test: try logging in to your bank with the capitalization in your password screwed up. I was rather surprised to find that a number of banks use a case insensitive login. wtf. Anyway anyone that does that should probably not be touching your money.

————————————

For anyone interested, the technical details of this attack are pretty beautiful >_> Basically, there’s an extension to TLS (the protocol that implements SSL aka HTTPS) which lets you keep connections open for a while, by sending “heartbeat” messages that basically let both sides know the other is still there. The format of these messages is:
[length of payload (up to 64 kb), payload, 16 random bytes of padding]

A valid response is
[length of payload, the same payload, 16 fresh random bytes of padding]

This heartbeat protocol happens “out of band”, which is a fancy way of saying “it’s part of the protocol that isn’t really part of the protocol… it’s fairly insignificant and happens behind the scenes so we just sort of pretend it doesn’t exist. We don’t log it because seriously, what could possibly go wrong?”. So, when OpenSSL receives a heartbeat packet, it needs to copy the payload into its response. The way it does this is:
- define the location of the received payload in memory
- copy “length of payload” bytes from where the received payload is into your response
- generate new padding
- send the packet

Seems reasonable, right? What’s missing was a check that makes sure that the payload you sent isn’t actually shorter than the length you claim it is. So, if you send a heartbeat packet where you say the length is 64 kb, but with a payload that is actually 0 bytes long, OpenSSL happily copies 64 kilobytes of whatever happens to be in the memory below the payload and sends it back to you. Basically, each malicious heartbeat packet you send, you get up to 64 kb of something else that the server is currently storing in memory. You can do this as many times as you like, and since this is an out-of-band part of the protocol, none of this is logged, and none of this leaves any kind of trace at all. Heartbeat messages bleeding information -> “Heartbleed”.

It just goes to show, something as trivial as skipping a simple bounds check in some insignificant part of a protocol can bring the Internet to its knees. Ouch.

Glitch that website is useful
xD

Thanks for the information Glitch!

Does that mean that I don’t have to change passwords for sites that had the https in the url already?

@Glitch: Oh yeah, yeah. I just cited those sites because those are the ones that people worry most about. I know I relaxed a lot when I found out that google and amazon were fine. I know New York State spent a ton of money on Microsoft servers, and they’re probably very happy right now that they don’t have to deal with this. Apache servers being vulnerable is hella worrying.

Out of curiosity, for sites that run on shared servers, is the host or the site admin responsible for keeping up to date the encryption?

Raye

“With these keys, [The Heartbleed Vulnerability] would essentially be able to treat a “https” connection as a “http” connection, eavesdropping on any data and modifying things in transit. This includes anything from your online banking password to your instant messages”

The reason this is so dangerous is because this vulnerability “changes” the https security to the http so they are able to get usually safe information easily. This means you need to change your passwords on all sites regardless, unless the site specifically says they already took care of this issue way back.