Community Forum

Heartbleed Bug -- What is Comcast doing about it?

Xfinity Forum Archive
About the archive project

Xfinity Forum Archive...

This is an archived section of the community.

Content in this area has been identified as outdated or irrelevant.

This change was done in an effort to make the forum easier to use and to keep only the most helpful and recent content active.

Post your questions in the Xfinity Community

Frequent Visitor

Heartbleed Bug -- What is Comcast doing about it?

HUGE announcement today rippling across the Internet and various providers, network equipment manufacturers and others regarding the so-called Heartbleed Bug (see http://heartbleed.com/). Are certs being updated?  Even corporate wireless services have been taken down nationwide for many companies.  This is not a trivial vulnerability!!

-- Typeaux
Problem Solver

Re: Heartbleed Bug -- What is Comcast doing about it?

Comcast would have nothing to do with making sure your computer is safe.  It is up to you the end user to make sure your Operating System & Anti-Virus is up to date.

 

This bug has been known about for quite some time.  Patches have been rolling out to fix the problem, for around three months now.  If you are not updating your computer Operating System, Email software, Anti-Virus Software.  At some time, Comcast along with the company that created the Operating system, can take you off line.

 

If you had taken the time to read the information on this bug.  It only affects the following Operating Systems:

 

How about operating systems?

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

  • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
  • SUSE Linux Enterprise Server
  • FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

 

I really doubt that Comcast is using those particular Linux OS versions.

New Poster

Re: Heartbleed Bug -- What is Comcast doing about it?

Yoo-hoo, Comcast!  Are you going to make a statement?  Amazon has...

Expert

Re: Heartbleed Bug -- What is Comcast doing about it?

The underlying OS has little, if anything, to do with the Heartbleed vulnerability. The culprit is in the OpenSSL encryption software that server software uses. OpenSSL is available for Unix, Linux, Mac and Windows platforms.

 

Servers running on any of those operating systems may be vulnerable if they are using the unpatched version of OpenSSL.



I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Frequent Visitor

URGENT. Heartbleed - what is the status of Comcast accounts

From USA Today - Apr 9, 2014 at 1:38 pm:

 

"Citing an April survey from research site Netcraft, Codenomicon's Heartbleed website says roughly two-thirds of active sites on the Internet run OpenSSL. ...

 

... Security experts tell the AP a password change won't help if the services affected by Heartbleed aren't updated."

 

Based on the above article, I have two questions: 

 

1. Does this affect Comcast?

2. If so, should I change my passwords now or wait?

 

Thank you.

Problem Solver

Re: Heartbleed Bug -- What is Comcast doing about it?

LoPhatPhuud is correct - as are most postings regarding this. I can only speak for Constant Guard Protection Suite, but if someone has concerns regarding the “Heartbleed” bug, the accounts stored with Constant Guard Protection Suite are safe. We do not store customer credentials remotely, nor do we use OpenSSL in our infrastructure. However, this does NOT mean that a bank or a site a customer may visit is secure. The chances are good that most banks and any larger shopping, email or social network sites have already patched their OpenSSL, but concerned individuals should contact their banks or shopping sites and ask if they have patched their OpenSSL to prevent any data theft via the Heartbleed bug.

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

Since about two-thirds of active sites on the Internet run OpenSSL, it would be reassuring to know where Comcast customers stand.

 

A lot of people are trying to figure out whether it is too soon to change their passwords. According to USA Today, "Security experts tell the AP a password change won't help if the services affected by Heartbleed aren't updated."

Highlighted
Problem Solver

Re: URGENT. Heartbleed - what is the status of Comcast accounts

Hi 1greengirl - please see this post:

 

http://forums.comcast.com/t5/Security-and-Anti-Virus/Heartbleed-Bug-What-is-Comcast-doing-about-it/m...

 

There is a lot of concern about it, at this time, but it's very likely that your bank and any larger shopping sites have already patched their OpenSSL, if they use it. If you are concerned - contact the sites you bank or shop with, and ask if they have patched their service.

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

CGPS, thank you for your response.  I think a broader response that covers the entirety of Comcast is what's needed.

Frequent Visitor

Re: URGENT. Heartbleed - what is the status of Comcast accounts

TYVM, CGPS. I'm also concerned about my Comcast accounts - email and my customer account.

New Poster

Re: URGENT. Heartbleed - what is the status of Comcast accounts

 

Using the website 

 

http://filippo.io/Heartbleed/

 

it indicates comcast.net has a problem:

 

dial tcp 69.252.80.75:443: i/o timeout

New Poster

Re: URGENT. Heartbleed - what is the status of Comcast accounts

What is Comcast doing and what do we need to do?  What communications were at risk?

Expert

Re: Heartbleed Bug -- What is Comcast doing about it?

Not to negate the seriousness of the exploit, here's some info that indicates the exposure may be less than 10% of the servers.

 

https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt



I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

Kind of you to post, TYVM, LoPhaat. (And congratulations on your healthy diet.) I have looked at this website. However, what is needed is an official response from Comcast. But again, TYVM. I appreciate you taking the time. Comcast?

Frequent Visitor

Re: URGENT. Heartbleed - what is the status of Comcast accounts

From Digital Life:  "While some security advisors are telling people to change their passwords, you could be changing a password on a site that hasn’t been fixed and while you go on with your life, figuring you’ve solved this Heartbleed problem, hackers could be picking up your new password and sign in credentials."

 

Any word yet from Comcast HQ?

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

From Digital Life:  While some security advisors are telling people to change their passwords, you could be changing a password on a site that hasn’t been fixed and while you go on with your life, figuring you’ve solved this Heartbleed problem, hackers could be picking up your new password and sign in credentials.

 

Comcast, please respond.

New Poster

New virus

What, if anything, has Comcast/Xfinity done to ensure the Heartbreak virus is not affecting us?
New Poster

Heartbleed patch

Has Comcast patched the Heartbleed bug on their internet service yet? All the news reports say to wait until your service provider has let you know that they have patched the bug before changing any passwords

Frequent Visitor

Re: URGENT. Heartbleed - what is the status of Comcast accounts

Best list of status of Heartbleed fixes so far: . Thanks, Mashable!

 

Which sites have patched the Heartbleed bug

 

 

Remember that huge security bug, Heartbleed? LastPass now tells you which affected passwords you should change:

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

Best list of status of Heartbleed fixes so far: . Thanks, Mashable! 

 

Which sites have patched the Heartbleed bug 

 

 

Remember that huge security bug, Heartbleed? LastPass now tells you which affected passwords you should change: 

Valued Contributor

Heartbleed

What is the status of Comcast Email in regards to Heartbleed?

New Poster

Re: Heartbleed Bug -- What is Comcast doing about it?

I just had a chat with Comast help.  I was told that the company has no official announcement regarding heartbleed at this time.   To me, that means we've got to assume the site is vulnerable.  I note, however, that the agent also advised me to change my password and told me Norton Antivirus would fix the problem (so I needn't worry about it?) - very, very bad advice according to dozens of newspapers articles.  And s/he assumed I was asking about being locked out and needing to reset my password - it took three tries to convey a question about heartbleed virus.  Clearly, he or she had no idea what he or she was talking about. 

Pretty reprehensible that 1) comcast/xfinity hasn't fixed the problem 2) comcast/xfinity is intentially keeping its customers in the dark when every other website company I use has a status announcement on its home page and 3) Comcast/Xfinity help agents apparently haven't even heard of the problem. 

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

I have to agree on all points. 

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

When I ran the LastPass Heartbleed Checker against comcast.net it came back with this:

 

Site: www.comcast.net
Server software: Apache-Coyote/1.1
Vulnerable: Definitely (known use OpenSSL)
SSL Certificate: Unsafe (created 9 months ago at Jul 17 04:15:40 2013 GMT)
Assessment: Wait for the site to update before changing your password


So is the Comcast email server secure or not?

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

If I just have email, need I worry about it?

Silver Problem Solver

Re: Heartbleed Bug -- What is Comcast doing about it?


@dnix77 wrote:

When I ran the LastPass Heartbleed Checker against comcast.net it came back with this:

 

Site: www.comcast.net
Server software: Apache-Coyote/1.1
Vulnerable: Definitely (known use OpenSSL)
SSL Certificate: Unsafe (created 9 months ago at Jul 17 04:15:40 2013 GMT)
Assessment: Wait for the site to update before changing your password


So is the Comcast email server secure or not?


http://filippo.io/Heartbleed/#www.comcast.net

http://filippo.io/Heartbleed/#xfinity.comcast.net

http://filippo.io/Heartbleed/#mail.comcast.net:995

http://filippo.io/Heartbleed/#smtp.comcast.net:465

 

All return a 'Good' status.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I don't work for Comcast...


Help us to help you!!
- respond to requests for info
- post back if your issue is resolved
- mark appropriate posts as solutions


Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

New Poster

Re: Heartbleed Bug -- What is Comcast doing about it?

Worse than the new bug, Comcast still supports SSL V2.  Man!

just checked:

 

Site: www.comcast.net
Server software: Apache-Coyote/1.1
Vulnerable: Definitely (known use OpenSSL)
SSL Certificate: Unsafe (created 9 months ago at Jul 17 04:15:40 2013 GMT)
Assessment: Wait for the site to update before changing your password
Gold Problem Solver

Re: Heartbleed Bug -- What is Comcast doing about it?


@CordeliaAnne wrote:

If I just have email, need I worry about it?


Yes, especially if your email address is the PRIMARY Comcast user account.

You do not want anyone else to be able to access your account information-full name, address, account number.

 

They would not need much to engage in identity theft. Once they had the basic information it would not take long for a seriously determined person to gather other personal information about you which they could then use for themselves.

 

edit to add:

 

I used this for my testing purposes https://customer.comcast.com/Secure/MyAccount

All good, customer.comcast.com seems fixed or unaffected!        

 

New Poster

Re: Heartbleed Bug -- What is Comcast doing about it?

Yup "F", because, not even counting the new SSL thing, look at all the old horrible stuff Comcast supports.

 

 

https://www.ssllabs.com/ssltest/analyze.html?d=comcast.net&s=23.3.97.32&ignoreMismatch=on

 

This server's certificate is not trusted. Grade set to F.

This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F.

The server does not support Forward Secrecy with the reference browsers

 

Man, and look at the profit they are making off of our incredible bills!

 

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

So is it unsafe to log into email? (I'm not primary.)

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

which shall I trust?

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

In the midst of conflicting information, the absence of a statement from Comcast - a Fortune 50 company - seems odd. 

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

TYVM, Cordelia. Since the word "allegedly" is in the title, this is not definite information. To set everyone straight, Comcast needs to be the one to tell their users and customers what is going on and what to do.

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Yeah. Apologizing for the naive question, but what does TYVM mean?

Re: Heartbleed Bug -- What is Comcast doing about it?


@CordeliaAnne wrote:

Yeah. Apologizing for the naive question, but what does TYVM mean?


Thank You Very Much


I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

It's not so one dimensional. Anyone who orders goods over the Internet (and most of us do) using credit cards, or doing any online banking (even just checking your account), or have business with various municiple, state, or federal agencies, may or may not have a problem. 

 

The issue with Comcast, as I see it, is that they are the gateway to all of this information. They also have something of ours (payment card information, for example, for billing or for purchasing new goods or services) that can possibly be exploited via the unfixed Heartbleed Bug (CVE-2014-0160 -- where CVE stands for Common Vulnerabilities and Exposures) occurring in OpenSSL versions prior to 1.0.1. 

 

OpenSSL runs on multiple operating systems, and is widely used by all manner of entities using SSL (Secure Socket Layer) to protect data in transit.  The exploit allows up to 64k "chunks" of data to be syphoned off from any transaction. That's enough data to contain personal account numbers, Social Security numbers, medical account numbers, etc. 

 

So, the only thing I can see Comcast doing is:

    a.) fix any and all instances of OpenSSL that have the vulnerability (and notifiy users)

    b.) inform users that there is a possibility that ANY Internet transactions occurring over the past (let's say three months -- the exploit has been known for longer than that but wasn't widely publicized) may have been exploited. Since Heartbleed leaves no fingerprints or other digital traces, it is impossible to detect whether it has been used against a network.

   c.) urge users to contact these enterprises or organizations (they ones we end users have done online business with) and find out whether or not the fix has been done on THEIR end (Comcast has no control over other networks).

 

Comcast is only responsible for fixing any vulnerabilities it might have on its own networks. But it should notify its user base if there was any period of time that the system was vulnerable, and what has been done to correct it.

 

People in Comcast tech support not having knowledge of this possible exploit is simply unacceptable.

 

In the meantime, it doesn't do any good to change passwords until you know that the vulnerability has been patched on the OTHER end of your transactions (including transactions with Comcast).  However, even if Comcast fixes their servers (provided they needed to), it doesn't fix your transactions with banks, online retailers, credit card companies, payment card systems (Square, PayPal, etc.), medical facilities (including your HMO), government agencies, or anyone else you may have interacted with over the past few months (but realistically, probablyover the past week or two).

 

-- Typeaux

-- Typeaux
Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

I've checked several "heartbleed" checker websites and they all say Comcast.com et al are vulnerable. 

 

I would like to add my voice to the request that Comcast issue an official statement regarding whether it uses openssl on ANY of its servers, and, if so, has it patched them! 

 

Changing the password to our Comcast account is useless if the server logging us in is using vulnerable openssl software. 

 

COMCAST, PLEASE ISSUE AN OFFICIAL STATEMENT. 

 

Thank you.

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

Good video and article from CBS News:

 

The "heartbleed" bug may have put millions of passwords, credit card details and sensitive information in the hands of nefarious hackers. Before you change your passwords, security experts suggest making sure the website is now secure, and provide tips for creating stronger passwords.

 

http://www.cbsnews.com/news/changing-your-password-for-heartbleed-bug-heres-what-you-need-to-know/

Problem Solver

Re: Heartbleed Bug -- What is Comcast doing about it?


@1greengirl wrote:

CGPS, thank you for your response.  I think a broader response that covers the entirety of Comcast is what's needed.


 

You are exactly correct.

 

The status of Comcast's web domain servers are important, but only small part of that which is potentially vulnerable related to Comcast's  services.

 

Comcast uses  2 vendors & Thier servers for Customer Billing of its  Cable services.

Comcast uses   vendors & Their servers for  Email services.

Comcast uses   vendors & Their servers for  customer's  Home Pages.

Comcast uses   vendors & Their servers for  Comcast Forum 

Comcast uses   vendors & Their servers for  Phone Support

Comcast uses   vendors & Their servers for  Home Security services

Comcast uses   vendors & Their servers for  Online Chat Support

Comcast uses   Vendors & Their servers for  paid Signature Support

Comcast uses   Vendors & Their servers for  Online purchases

Comcast uses   Vendors & Their servers for  Online Bill Pay

(and i'm sure the list goes on)

 

Comcast uses   Vendors & Thier servers for  multiple  Elements that are included in the body of each web page through out the  Comcast.com  & Comcast.net  web sites, including secure web pages.

 

Comcast shares private customer information with its vendors (who use their own servers) as it deems necessary & as needed in the course of providing a whole range of products & services to Comcast customers.

 

And lets not forget, Open SSL is potentially used in some cmts equipment & backbone servers & equipment.   Open SSL is used in the internet modems Comcast provides customers, or modems that we own ourselves.  But i don't know if modems can be vulnerable, would make this all that worse if so.

 

.

 

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Problem Solver

Re: Heartbleed Bug -- What is Comcast doing about it?

 

Great.    

The status of Comcast's web domain servers (web site servers) is important, but only small part of that which is potentially vulnerable related to Comcast's services.  [scroll up]

 

Same holds true for every company, not just Comcast.

 

.

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?


@dj280 wrote:

 

Great.    

The status of Comcast's web domain servers (web site servers) is important, but only small part of that which is potentially vulnerable related to Comcast's services.  [scroll up]

 

Same holds true for every company, not just Comcast.

 

.


What outside server does Comcast Email use?

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

CorneliaAnne - TY.

 

Then, for heaven's sake, why doesn't Comcast tell their customers with a quick email blast? Just looking for the official word about status.

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

I don't know. It's what I'd like, too. Also, as you can see on CNET, Comcast has not said if it wasn't vulnerable, or if it installed the fix. There's a big difference.

New Poster

Getting Information on Heartbleed virus

Why is Comcast not posting any information about the heartbleed virus and if it's websites are venerable or not?

 

After a lot of searching thru the website, I finally called the security center and they verbally told me that the Comcast websites are secure, but they would not send me an email to confirm this and indicated there are no plans to post this information on the general website.

 

This makes no sense! Does anybody understand why Comcast would be hesitant to do so, especially if they claim their website is safe?

New Poster

Re: Getting Information on Heartbleed virus

Without an official statement by Comcast, I have no confidence that Comcast systems and services are secure. None of the four support techs I spoke to yesterday knew anything about the Heartbleed Bug nor could they connect me with anyone who did. I was hung up on three times after they said they were going to connect me with someone higher up who knew about security. The fourth person I spoke with was someone in a local office who didn't know anything either but was going to research the issue not only at my request but also for himself as he is a Comcast customer. He has not gotten back to me with any additional information.

 

I'd say Comcast has been MIA in all of this. The CNET site still says the company has not responded.

New Poster

Re: Getting Information on Heartbleed virus

I used the LastPass Heartbleed checker and got this result:

 

Site: www.comcast.net
Server software: Apache-Coyote/1.1
Vulnerable: Probably (known use OpenSSL, but might be using a safe version)
SSL Certificate: Possibly Unsafe (created 9 months ago at Jul 17 04:15:40 2013 GMT)
Assessment:

It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.

 

 

Valued Contributor

Re: Getting Information on Heartbleed virus

Site: www.comcast.com
Server software: Microsoft-IIS/7.5
Was vulnerable: No (does not use OpenSSL)
SSL Certificate: Safe (regenerated 8 months ago)
Assessment:

This server was not vulnerable, no need to change your password unless you have used it on any other site!

Valued Contributor

Re: Getting Information on Heartbleed virus

Site: login.comcast.net
Server software: Apache
Was vulnerable: Probably (known use OpenSSL, but might be using a safe version)
SSL Certificate: Possibly Unsafe (created 1 year ago at Mar 20 00:00:00 2013 GMT)
Assessment: It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.