On 4/9/2014 12:57 PM, Joe Btfsplk wrote:
On 4/8/2014 5:24 PM, Joe Btfsplk wrote:On 4/8/2014 4:25 PM, grarpamp wrote:https://blog.torproject.org/ covers what to do for Tor things.
.snip.
http://s3.jspenguin.org/ssltest.py https://gist.github.com/takeshixx/10107280 https://github.com/FiloSottile/Heartbleed https://www.ssllabs.com/ssltest/index.html (Note, this is a TLS in process bug, so more than HTTP/S services are affected...) This bug will no doubt trigger some thinking, analysis and change in the services, security, infrastructure and user communites... that's a good thing.Thanks. Adding one more heartbleed vulnerability site I tried: http://rehmann.co/projects/heartbeat/?domain=
.snip.
UPDATE: Users should not assume that by now, their bank / other HTTPS sites have patched the OpenSSL software. Use one of the check sites, to see if a domain / server is still vulnerable to heartbleed bug. As of late morning, 4/9/14, one of my banks (takes > 1 to hold all my $ :D) still hasn't patched it. They have no warning on their site about it & apparently aren't restricting user login to access acct info or online bill pay. They're not cautioning users to be alert for suspicious activity in their acct.
It seems no one wants to talk or hear about this issue. It is not being reported on media sites or anywhere else, other than the Heartbleed site, and the OpenSSL lists.
This bug has been a known issue for about 2 years, and we are only now learning about it. Not from banking, credit card, or shopping sites, nor from most news sites (the reports I've seen on news sites tend to downplay the scope and severity of the problem altogether, or simply say, "It's fixed"). Saying "it's fixed", is far from true.
It makes me wonder if the NSA was involved in inserting this bug into OpenSSL clients and servers.
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk