Yahoo Mail Google Chrome Security Certificate Error

Discussion in 'Technical Corner' started by N918KT, Apr 9, 2014.

  1. N918KT

    N918KT Line Up and Wait

    Joined:
    Jan 13, 2013
    Messages:
    690
    Location:
    Philadelphia, PA
    Display Name:

    Display name:
    KT
    Recently when I log into my Yahoo Mail email account with Google Chrome, I get a security certificate error saying that the "site cannot be trusted" or something along those lines. I went back to the email login page and when I tried to log in later, it was fine. I did a antivirus scan and it revealed no threats.

    This happen to me twice already, the first time several days ago and the second time yesterday.

    Anyone else have this problem with Yahoo Mail and Google Chrome?
     
  2. zaitcev

    zaitcev En-Route

    Joined:
    Sep 30, 2010
    Messages:
    2,948
    Display Name:

    Display name:
    Pete Zaitcev
    Must be emergency revocations issued for original certs due to the Heartbleed bug, and Chrome honours revocation certs. I would not pay it much attention if your like is reasonably secure (e.g. not a wifi cafe). This sort of scare that cannot be explained easily to users is in part why some browsers simply ignore all revocations. Well that, and their programmers being lazy bums.

    If you like to get even more confused, read here:
    http://heartbleed.com/

    Also be happy you're not in IT. The whole industry was late at work and/or getting over-caffienated and/or drunk senseless yesterday, when Heartbleed was disclosed. Some estimate that about 1/3 of servers on the Internet are affected, and it's a whole lot of servers to patch... After which they need to get new certs, and yes, possibly revoke old certs. Cert authorities must be showeling the money with a D-8 right about now.
     
    Last edited: Apr 9, 2014
  3. jesse

    jesse Administrator Management Council Member

    Joined:
    Oct 2, 2005
    Messages:
    15,646
    Location:
    Lincoln, NE
    Display Name:

    Display name:
    Jesse
    :yes:
     
  4. Pi1otguy

    Pi1otguy Pattern Altitude

    Joined:
    Oct 24, 2007
    Messages:
    2,113
    Location:
    Long Beach, CA
    Display Name:

    Display name:
    Fox McCloud
    Does this mean we (virtually all Internet users) need to change virtually every password after these systems get patched ina day or so?
     
  5. zaitcev

    zaitcev En-Route

    Joined:
    Sep 30, 2010
    Messages:
    2,948
    Display Name:

    Display name:
    Pete Zaitcev
    My answer is no, unless you use WiFi cafes a lot. However, you have to start rotating all the passwords as a precaution.

    The nature of Heartbleed, as I understand it, is that it allows the attacker to steal private keys from servers. Having those keys, intercepted SSL sessions can be decrypted.

    Note that, for example, Pilots of America is not encrypted at all. So, it was always open to the same snooping attack. Heartbleed merely drags down encrypted websites to PoA level. How often do you change your PoA password? Now copy the same discipline and apply it to your bank account. That would be my answer.
     
  6. JOhnH

    JOhnH Touchdown! Greaser!

    Joined:
    May 20, 2009
    Messages:
    10,779
    Location:
    Florida
    Display Name:

    Display name:
    Spun Out
    Passwords are already such a PIA I have been considering a password manager. I suspect I will acting on that now. The reason I haven't so far is that I have a case of "analysis paralysis". Just reading the several threads on POA about them, everyone has a different opinion. I almost settled on "RoboForm Everywhere" until I read that the software is Read-Only on Iphones and tablets. You can access a password protected site using the Robo software but if you need to change a password you have to do it from a desktop. Sometimes I don't have access to a desktop when I need it, like when traveling.
     
  7. jesse

    jesse Administrator Management Council Member

    Joined:
    Oct 2, 2005
    Messages:
    15,646
    Location:
    Lincoln, NE
    Display Name:

    Display name:
    Jesse
    It's worse then that. You get random in memory data from the SSL server which can easily include users passwords as they were logging in, session ids, cookie data, credit card numbers over the wire..etc. Anything that the SSL server could be receiving could have been dished out to someone via the Heartbleed bug. If you pole'd servers really quickly you could damn near get everything they were doing.

    Just imagine all the data that could be in memory then imagine getting 64 kb chunks of that randomly about as quickly as you want.
     
  8. Pi1otguy

    Pi1otguy Pattern Altitude

    Joined:
    Oct 24, 2007
    Messages:
    2,113
    Location:
    Long Beach, CA
    Display Name:

    Display name:
    Fox McCloud
    No offense the the admins, but PoA password doesn't resemble any other password or have the same level of complexity as I had no security expectations here.

    I rotate my other passwords regularly, but doing it off schedule is a pain.

    But my understanding is that this attack made it possible for the attacker to grab the private key too, making even the encrypted content at risk.