
LastPass Now Checks If Your Sites Are Affected by Heartbleed - wglb
http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html
======
gojomo
Notably some sites are using fresh certificates that have the same (months-in-
the-past) starting-validity date as their old certificates. For example,
Heroku has done this.

(I can think of a few process and fee reasons this approach might be picked.
Perhaps a CA might offer a free new cert and revocation, if and only if the
new cert has the same validity range as the one it replaces. An ops team might
prefer one consistent time of year for the ceremony of non-emergency
certificate rotation.)

I didn't notice any field in the cert-viewers of Firefox or Chrome that could
reliably tell the true issue-date of a new certificate.

Is LastPass just looking at the start of the validity, or does it have some
way to know if the certificate is truly new?

~~~
pwman
We haven't found a way to do this -- we're using openssl s_client to get the
start date, but one of our own certificates for LastPass.eu also reissued
without changing the date so we know it's a problem.

We wish we had all site's certificate fingerprints from before this started so
we could utilize that data -- if anyone has it, an email to
securit@lastpass.com would be greatly appreciated.

~~~
IgorPartola
I believe if you use a new private key but sign the same CSR the dates will
not change. Ideally the old certs should be revoked which should provide some
info on this. I saw this explanation on the discussion of the herokuapp.com's
cert's dates not changing.

~~~
wiml
This is entirely up to the issuing CA's process. Thawte, for example, happily
revokes-and-reissues certificates for free (perhaps only for "enterprise"
customers?), and the newly issued certificate has the same end-validity date
as the revoked certificate but the start-validity date is set to the time of
issue.

I notice herokuapp.com's CA is DigiCert, so perhaps they have the opposite
policy, of giving the reissued cert the same start date as the revoked cert.

I don't think there's a standard field in an X.509 cert for issue date.

It's possible to download a CA's CRL and look for revoked certs, but all you
get are serial numbers and revocation dates, not subject names.

~~~
IgorPartola
I think this explains what we've seen best.

------
devindotcom
I've been meaning to switch to a password organizer rather than rely on my
browser's built-in one (I know)... I've seen a few discussions on here but I
haven't seen a clear victor. In your opinion, is LastPass the one I should go
with? Or Keepass or OnePass or one of the others?

Edit just to say I think this is a very nice feature by LastPass and thanks
for posting.

~~~
plg
OK I'll bite ... why should I not use my browser's built in pw manager? (e.g.
Safari on OS X Mavericks)

I can see an argument about cross-platform use but is there another reason or
reasons?

thanks,

~~~
awip
This is why: [http://raidersec.blogspot.com/2013/06/how-browsers-store-
you...](http://raidersec.blogspot.com/2013/06/how-browsers-store-your-
passwords-and.html)

TL;DR Firefox with a strong master password was considered safe at the time of
that article's writing (June 2013). That + Firefox Sync is what I use - I
would also be interested in anything more up to date on why this is or isn't a
good idea.

~~~
claudius
It’s not the job of the browser to secure your data against OS-level
adversaries, that’s the job of the OS (e.g. by using file permissions to
protect against other users and ideally also MAC to protect against other
software). It’s not even the responsibility of the browser to protect against
someone else walking up to your computer while you’re using the toilet, that’s
the job of the screensaver.

It is, however, the browser’s job to protect your passwords against other
websites and the like, and I would be worried if there were bugs in that area,
but your link doesn’t say anything about them (note also that using a password
manager with an extension for protection against someone taking over the
browser is useless, as that someone also owns the extension and hence can
impersonate it towards the seperate password manager).

------
willtheperson
I wish there was (or maybe there is) a protocol for updating your password.
Then managers like lastpass and 1Password could more easily update your
password. Maybe, behind the scenes they could rotate your password every x
days automatically. Having a protocol in place would also make breach notices
an easy "update all passwords" click away.

There's probably a reason this is a bad idea. Let's hear it! :)

~~~
grrowl
It discourages two-factor auth for password change requests (such as site
username and access to your email account), it adds an additional point of
failure, and it would make it easier for attackers to lock you out of your
account once they gain entry.

Plus, if any changes are to be made to the authentication process it should be
migrating to two-factor auth across all services.

~~~
sgeisenh
Authenticator tokens are pretty robust systems. I'd like to see more services
start to make use of them.

~~~
blueskin_
Definitely, as long as there was a common standard (and open source, of
course). Have a keychain token that you can link to accounts, then enter a
password on that and it gives you a (time limited) key to use to login.

------
davidp
Wait. When I click "Security Check" in my LastPass Tools... menu (this is in
Chrome), I get taken to an internet-hosted web page where I'm prompted to
enter my master password. [1] I am not taken to a chrome:// page or some other
client-side tool.

I take this to mean that I'm giving LastPass's web server my actual master
password, and that they will do _server-side_ decryption of my Vault and have
server-side access to my passwords in cleartext.

Is that accurate?

[1]
[https://lastpass.com/index.php?securitychallenge=1&lang=en-U...](https://lastpass.com/index.php?securitychallenge=1&lang=en-
US&fromwebsite=1&lpnorefresh=1)

~~~
nly
LastPass is proprietary closed source software. For all you know they've never
_not_ had access to your vault.

~~~
tempestn
If you wanted to, it's not too tough to extract the source code of their
browser add-ons to verify for yourself that your vault is encrypted before
being sent to their servers, and that your master password is not sent. (And
of course with this tool it's relatively trivial to look through the
javascript to verify the same.)

So while you can't look at the code running on their servers, it seems to me
that you certainly _can_ know they don't have access to your vault.

------
reedloden
How does their "Updated Cert?" check work? If it's just checking notBefore,
it's going to have a ton of false negatives, as a lot of CAs are just re-
issuing certs using the original notBefore.

------
jasonhoyt
There really should be a disclaimer that this tool is useless when checking
certificates re-keyed with the same starting and end dates. It could create a
reputational risk for sites that are otherwise safe or patched.

------
dalek2point3
BankOfAmerica, perhaps my most important site from a security point of view
does not seem to care:
[https://lastpass.com/heartbleed/?h=bankofamerica.com](https://lastpass.com/heartbleed/?h=bankofamerica.com)

------
comeonnow
I've love to see an actual list, officially backed, with website's URL and
whether it has been fixed or not. Also with the ability to submit URLS. Seems
this would be more productive than to let everyone look up their own sites
manually.

------
araftery
Apparently LastPass is still vulnerable:
[https://lastpass.com/heartbleed/?h=LastPass.com](https://lastpass.com/heartbleed/?h=LastPass.com)

~~~
notatoad
perhaps it has been updated in the last 12 minutes, but that doesn't say
LastPass is vulnerable. They are using a new cert, it's just saying they
_might_ be vulnerable because LastPass can't detect the server's operating
system.

------
Karunamon
This is very cool and answers my, and i'm pretty sure many other's questions
about what passwords are safe to change.

Thanks guys!

~~~
blantonl
If I were you, I would change ALL of your passwords. Regardless of what
lastpass says.

~~~
codeka
The point is, there's no point changing them until the site fixes their
certificates.

~~~
pwman
Exactly!

------
csmatt
This is awesome and I love the auto-prompting in the latest version of
LastPass for Android. Great work guys!

------
retube
does heartbleed effect bog-standard ssh as available on your average
linux/ubuntu system?

------
regularfry
Note: this is illegal in the UK.

~~~
alistairjcbrown
[Citation needed]

~~~
regularfry
Computer Misuse Act 1990, section 1.1. The test for the vulnerability requires
running the exploit, whose only function is to secure unauthorised access to
data held on the remote machine. Seems fairly clear-cut to me.

~~~
Oletros
[http://www.legislation.gov.uk/ukpga/1990/18](http://www.legislation.gov.uk/ukpga/1990/18)

I think you're wrong:

Unauthorised access to computer material.

(1)A person is guilty of an offence if— (a)he causes a computer to perform any
function with intent to secure access to any program or data held in any
computer [F1, or to enable any such access to be secured]F1 ; (b)the access he
intends to secure [F2, or to enable to be secured,]F2 is unauthorised; and

Lastpass is not trying to secure the web wervers with the check

------
circa
awesome. that was fast. I love lastpass!!

