Yahoo Mail Google Chrome Security Certificate Error

N918KT

N918KT

Line Up and Wait
Joined
Jan 13, 2013
Messages
716
Location
Philadelphia, PA
Display Name
Display name:
KT
Recently when I log into my Yahoo Mail email account with Google Chrome, I get a security certificate error saying that the "site cannot be trusted" or something along those lines. I went back to the email login page and when I tried to log in later, it was fine. I did a antivirus scan and it revealed no threats.

This happen to me twice already, the first time several days ago and the second time yesterday.

Anyone else have this problem with Yahoo Mail and Google Chrome?
 
Must be emergency revocations issued for original certs due to the Heartbleed bug, and Chrome honours revocation certs. I would not pay it much attention if your like is reasonably secure (e.g. not a wifi cafe). This sort of scare that cannot be explained easily to users is in part why some browsers simply ignore all revocations. Well that, and their programmers being lazy bums.

If you like to get even more confused, read here:
http://heartbleed.com/

Also be happy you're not in IT. The whole industry was late at work and/or getting over-caffienated and/or drunk senseless yesterday, when Heartbleed was disclosed. Some estimate that about 1/3 of servers on the Internet are affected, and it's a whole lot of servers to patch... After which they need to get new certs, and yes, possibly revoke old certs. Cert authorities must be showeling the money with a D-8 right about now.
 
Last edited:
zaitcev said:
Also be happy you're not in IT. The whole industry was late at work and/or getting over-caffienated and/or drunk senseless yesterday, when Heartbleed was disclosed. Some estimate that about 1/3 of servers on the Internet are affected, and it's a whole lot of servers to patch... After which they need to get new certs, and yes, possibly revoke old certs. Cert authorities must be showeling the money with a D-8 right about now.
Click to expand...

:yes:
 
Does this mean we (virtually all Internet users) need to change virtually every password after these systems get patched ina day or so?
 
Pi1otguy said:
Does this mean we (virtually all Internet users) need to change virtually every password after these systems get patched ina day or so?
Click to expand...
My answer is no, unless you use WiFi cafes a lot. However, you have to start rotating all the passwords as a precaution.

The nature of Heartbleed, as I understand it, is that it allows the attacker to steal private keys from servers. Having those keys, intercepted SSL sessions can be decrypted.

Note that, for example, Pilots of America is not encrypted at all. So, it was always open to the same snooping attack. Heartbleed merely drags down encrypted websites to PoA level. How often do you change your PoA password? Now copy the same discipline and apply it to your bank account. That would be my answer.
 
Passwords are already such a PIA I have been considering a password manager. I suspect I will acting on that now. The reason I haven't so far is that I have a case of "analysis paralysis". Just reading the several threads on POA about them, everyone has a different opinion. I almost settled on "RoboForm Everywhere" until I read that the software is Read-Only on Iphones and tablets. You can access a password protected site using the Robo software but if you need to change a password you have to do it from a desktop. Sometimes I don't have access to a desktop when I need it, like when traveling.
 
zaitcev said:
My answer is no, unless you use WiFi cafes a lot. However, you have to start rotating all the passwords as a precaution.

The nature of Heartbleed, as I understand it, is that it allows the attacker to steal private keys from servers. Having those keys, intercepted SSL sessions can be decrypted.

Note that, for example, Pilots of America is not encrypted at all. So, it was always open to the same snooping attack. Heartbleed merely drags down encrypted websites to PoA level. How often do you change your PoA password? Now copy the same discipline and apply it to your bank account. That would be my answer.
Click to expand...

It's worse then that. You get random in memory data from the SSL server which can easily include users passwords as they were logging in, session ids, cookie data, credit card numbers over the wire..etc. Anything that the SSL server could be receiving could have been dished out to someone via the Heartbleed bug. If you pole'd servers really quickly you could damn near get everything they were doing.

Just imagine all the data that could be in memory then imagine getting 64 kb chunks of that randomly about as quickly as you want.
 
zaitcev said:
My answer is no, unless you use WiFi cafes a lot. However, you have to start rotating all the passwords as a precaution.

The nature of Heartbleed, as I understand it, is that it allows the attacker to steal private keys from servers. Having those keys, intercepted SSL sessions can be decrypted.

Note that, for example, Pilots of America is not encrypted at all. So, it was always open to the same snooping attack. Heartbleed merely drags down encrypted websites to PoA level. How often do you change your PoA password? Now copy the same discipline and apply it to your bank account. That would be my answer.
Click to expand...

No offense the the admins, but PoA password doesn't resemble any other password or have the same level of complexity as I had no security expectations here.

I rotate my other passwords regularly, but doing it off schedule is a pain.

But my understanding is that this attack made it possible for the attacker to grab the private key too, making even the encrypted content at risk.
 
You must log in or register to reply here.
Back
Top