Is Brilliant Vulnerable to Heartbleed?

I'm just wondering; I might want to protect myself and change the password because the OpenSSL bug is affecting everyone....

#BugReport #Brilliant #Brilliant.org #OpenSSL #Security

Easy Math Editor

This discussion board is a place to discuss our Daily Challenges and the math and science related to those challenges. Explanations are more than just a solution — they should explain the steps and thinking strategies that you used to obtain the solution. Comments should further the discussion of math and science.

When posting on Brilliant:

Use the emojis to react to an explanation, whether you're congratulating a job well done , or just really confused .
Ask specific questions about the challenge or the steps in somebody's explanation. Well-posed questions can add a lot to the discussion, but posting "I don't understand!" doesn't help anyone.
Try to contribute something new to the discussion, whether it is an extension, generalization or other idea related to the challenge.
Stay on topic — we're all here to learn more about math and science, not to hear about your favorite get-rich-quick scheme or current world events.

Markdown	Appears as
`italics` or `_italics_`	italics
`bold` or `__bold__`	bold
- bulleted - list	bulleted list
1. numbered 2. list	numbered list
Note: you must add a full line of space before and after lists for them to show up correctly
paragraph 1 paragraph 2	paragraph 1 paragraph 2
`[example link](https://brilliant.org)`	example link
`> This is a quote`	This is a quote
# I indented these lines # 4 spaces, and now they show # up as a code block. print "hello world"	# I indented these lines # 4 spaces, and now they show # up as a code block. print "hello world"

Math	Appears as
Remember to wrap math in `$` ... `$` or `\[` ... `\]` to ensure proper formatting.
`2 \times 3`	$2 \times 3$
`2^{34}`	$2^{34}$
`a_{i-1}`	$a_{i-1}$
`\frac{2}{3}`	$\frac{2}{3}$
`\sqrt{2}`	$\sqrt{2}$
`\sum_{i=1}^3`	$\sum_{i=1}^3$
`\sin \theta`	$\sin \theta$
`\boxed{123}`	$\boxed{123}$

Comments

Hi Kevin,

The short answer is: it was vulnerable, but we fixed it, and you probably don't have to worry about it (on our site).

Long answer:

Yes, brilliant.org was one of the sites that used a vulnerable version of openssl, but we patched it and have changed the ssl cert (in case it was compromized) and all of the administrators have changed their passwords (as a precaution).

We don't believe that any information was nefariously gained as a result of this bug but it's very hard to detect so we can't be sure. If you would like to change your password, you are more than welcome to. If you choose to change your password, we would of course encourage you to always use best practices (such as using unique passwords for every site you go to so that if one of the sites has a security breach, the attacker doesn't immediately have access to all of your accounts on other sites). I personally use KeePass/KeePassX (on ubuntu)/KeePassDroid (on Android) along with dropbox so that I don't have to remember hundreds of passwords, I only need to remember one very strong password.

My general advice for navigating heartbleed is, check if a site you plan to visit is vulnerable using one of the tools out there, (this is the fastest I've encountered). If it is vulnerable, don't visit it and definitely don't log into it until it is patched (as long as it isn't patched, a third party may be able to retrieve your username/password/other sensitive information as it transfers through the server that has the vulnerable version of openssl). If you know that a service that you use has been affected, and has recently been patched, it is usually safe to use the site as normal, and if you want to be safe, you can change your password (but not until the site has been patched).

Finally, the last note about this bug is that while a server is vulnerable, it's possible for an attacker to grab the main encryption key from the server while the server is unpatched, which means they could use that to decrypt future traffic until the encryption key is replaced even after the vulnerability is fixed. If you want to be sure that a site which was at one point vulnerable, is now fully secure, you can check the ssl certificate information to see if it was issued since the bug was discovered, though apparently this won't be 100% accurate since it's possible to back-date when a cert is issued, so if you want, you may want to contact the site owner to verify that they have replaced the certificate, rather than assume it's not fixed. Also, if you aren't sure if a service was ever vulnerable or not, perhaps give them the benefit of the doubt since there is no point in reissuing/revoking ssl certificates if they weren't used with vulnerable versions of openssl. It seems like all of the banking websites that I checked (just a few) use older versions of openssl (or maybe even other ssl implementations) that were never vulnerable to this bug.

Sam Solomon Staff - 7 years, 2 months ago

Thanks a lot! @Sam Solomon

Kevin Mo - 7 years, 2 months ago

Math	Appears as
Remember to wrap math in `\(` ... `\)` or `\[` ... `\]` to ensure proper formatting.
`2 \times 3`	$2 \times 3$
`2^{34}`	$2^{34}$
`a_{i-1}`	$a_{i-1}$
`\frac{2}{3}`	$\frac{2}{3}$
`\sqrt{2}`	$\sqrt{2}$
`\sum_{i=1}^3`	$\sum_{i=1}^3$
`\sin \theta`	$\sin \theta$
`\boxed{123}`	$\boxed{123}$