BBO Discussion Forums: Heartbleed - BBO Discussion Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Heartbleed Do BBO users need to take any action?

#1 User is offline   jallerton 

  • PipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 1,796
  • Joined: 2008-September-12
  • Gender:Male

Posted 2014-April-15, 01:20

I have a question for BBO.

Are the passwords used to log in to BBO/BBO Forums potentially vulnerable to 'Heartbleed'?
1

#2 User is offline   uday 

  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 5,808
  • Joined: 2003-January-15
  • Gender:Male
  • Location:USA

Posted 2014-April-15, 15:05

the web pages we use for credit card entry use https and have been patched.

the various bbo clients don't use encryption in the first place.
0

#3 User is offline   TylerE 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,760
  • Joined: 2006-January-30

Posted 2014-April-15, 16:00

That's....troubling, frankly. Login details at the very least should be encrypted.
1

#4 User is offline   Mbodell 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,871
  • Joined: 2007-April-22
  • Location:Santa Clara, CA

Posted 2014-April-15, 23:28

View PostTylerE, on 2014-April-15, 16:00, said:

That's....troubling, frankly. Login details at the very least should be encrypted.


Agreed. When I log in to the web view I can see that username and password get sent in plain text as part of the form data of a request to http://webutil.bridg...m/v2/ud_api.php and to http://webutil.bridg...d_listmail.php. It appears that someone then hashes the password because the username and a large number instead is sent for the later request to http://webutil.bridg.../frontpage.php. Fortunately there is only small amounts of money associated with BBO accounts. The only query param in the URL is a cbust which is a random number (and likely is there to trick/force caches not to cache the pages). But as far as I can tell from the Chrome network the form data, including the password for the first two reuqests, is in plain text.
0

#5 User is offline   1eyedjack 

  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 6,575
  • Joined: 2004-March-12
  • Gender:Male
  • Location:UK

Posted 2014-April-15, 23:49

View PostTylerE, on 2014-April-15, 16:00, said:

That's....troubling, frankly. Login details at the very least should be encrypted.


No IT guy, me, but I had the impression that if the URL starts with "https://" then it is sent encrypted, but if it starts with "http://" then it is not. Heartbleed compromised the encryptions. A lot of sites (most of BBO included) use the basic "http://" URL. Maybe that it is an oversimplification?
Psych (pron. saik): A gross and deliberate misstatement of honour strength and/or suit length. Expressly permitted under Law 73E but forbidden contrary to that law by Acol club tourneys.

Psyche (pron. sahy-kee): The human soul, spirit or mind (derived, personification thereof, beloved of Eros, Greek myth).
Masterminding (pron. mPosted ImagesPosted ImagetPosted Imager-mPosted ImagendPosted Imageing) tr. v. - Any bid made by bridge player with which partner disagrees.

"Gentlemen, when the barrage lifts." 9th battalion, King's own Yorkshire light infantry,
2000 years earlier: "morituri te salutant"

"I will be with you, whatever". Blair to Bush, precursor to invasion of Iraq
0

#6 User is offline   FM75 

  • PipPipPipPip
  • Group: Full Members
  • Posts: 496
  • Joined: 2009-December-12

Posted 2014-April-16, 16:53

View Postuday, on 2014-April-15, 15:05, said:

the web pages we use for credit card entry use https and have been patched.

the various bbo clients don't use encryption in the first place.


Thanks for the answer.

I guess I would agree with subsequent posters that the login should be secure. That said, access to the login would not seem to compromise anything but the username and password. If the login was secure, it potentially - and ironically - would have exposed whatever was in memory, as opposed to just being able to login (and change a password).
0

#7 User is offline   jallerton 

  • PipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 1,796
  • Joined: 2008-September-12
  • Gender:Male

Posted 2014-April-16, 17:01

View Post1eyedjack, on 2014-April-15, 23:49, said:

No IT guy, me, but I had the impression that if the URL starts with "https://" then it is sent encrypted, but if it starts with "http://" then it is not. Heartbleed compromised the encryptions. A lot of sites (most of BBO included) use the basic "http://" URL. Maybe that it is an oversimplification?


Yes indeed, that's my concern. Doesn't BBO Forums use the same passwords as BBO? To log in to BBO Forums, the address shown on my browser is:

https://www.bridgeba...l&section=login
0

#8 User is offline   inquiry 

  • PipPipPipPipPipPipPipPipPipPip
  • Group: Admin
  • Posts: 14,566
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Amelia Island, FL
  • Interests:Bridge, what else?

Posted 2014-April-17, 08:34

View Postjallerton, on 2014-April-16, 17:01, said:

Yes indeed, that's my concern. Doesn't BBO Forums use the same passwords as BBO? To log in to BBO Forums, the address shown on my browser is:

https://www.bridgeba...l&section=login


The forum uses whatever password you want for it. There is no forced relationship between forum password and gaming password, however, both have to have the same username. It would not surprise me if a lot of people use the same password for both, but that is on them not the software.
--Ben--

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

4 User(s) are reading this topic
0 members, 4 guests, 0 anonymous users