Okay, so I don't know if this affects us or not, but I thought I'd check.

The last couple days, word's been going around about a nasty Internet data leak called "Heartbleed," where sites using a certain type of SSL were vulnerable to having any input information (passwords, credit card numbers, etc) exposed, and stolen.

I read somewhere that over 500,000 sites were vulnerable, so I thought I'd check in and make sure our beloved J2O/JCF wasn't/weren't among them.

Any light to shed on this rather disturbing goings-on?

Thanks!

I don't think so since it's a HTTPS+OpenSSL issue. J2O doesnt use encryption so stuff are sent in clear over the internet anyways. J2O seem to store my hashed password in a cookie, and that's not encrypted.
Heartbleed allows the "hacker" to access out of bounds data through OpenSSL. This data is a part of the memory of the server, and could potentially contain passwords or even the server's private key certificate.
I may be wrong though, this is just how I've heard how heartbleed works.

Here's an XKCD illustration of how it works:

Yeah, J2O doesn't use SSL.

Though it's not inconceivable that other sites on the server do, and as such there *is* a non-zero chance that some data got leaked. If you want to be sure, change your password.

Well, at least it's enabled, but not configured properly: https://jazz2online.com So I think the possibility for a memory leak is still there.

Quote:

If you want to be sure, change your password.

I think the fact that passwords are sent in plain text when logging in is a much greater potential security issue than the possibility that passwords have been leaked through a buggy OpenSSL version used by another site on the same web server which just happens to have J2O passwords stored in the affected 64K memory segment.

Then again, we're talking about a fan site for a video game which was released 16 years ago, so I think this discussion is more of an academic value than any practical one.

Okay, thanks for the info!