[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL



On 4/9/2014 12:36 PM, Andrew F wrote:
Would be interesting if someone created an app to test for the problem and
then published which big websites are slow to upgrade.
that would certainly be good for consumers.
Well, one website sorta has. They seem to have more extensive testing for overall security procedures, not just the heartbleed bug.
https://www.ssllabs.com/ssltest/analyze.html
They give a rating for sites in areas like
- following best practices for server security (based on their own published guide)
- heartbleed vulnerability
- type ciphers used
- whether they use forward secrecy

They list a few of most recent sites tested, under several categories; certainly not extensive. It would be interesting to see how long it took sites to fix this issue, but wouldn't the process have needed to start very early after it was announced? I too think avg consumers could benefit from seeing websites "safety ratings," but that's a moving target. Seems it'd need updating constantly. Which I guess could be done.

Using SSLlabs.com & some others to confirm findings, I was quickly able to determine that most banks - large & small - already installed the openSSL patch, much earlier on Tues. - possibly on Mon. Where this smaller bank w/ a fair number of regional branches that I use, still had not upgraded OpenSSL as of midday on Wed 4/9.

The manager / VP in charge of their computer operations didn't reply to my email informing him of the continued problem, until... I sent a follow up to the bank COO, that the problem was still unresolved as of 4/9/14. Funny how that works. The followup reminding them both that they were putting themselves & customers at risk; from being so slow to implement the patch compared to comparable businesses, from not warning customers of the issue & by not stopping customers from logging in (potentially exposing passwords & critical data), until sufficient fixes were in place.

This may be a good thing to find out general practices. They've been slow about past, immediate security issues, which I brought to their attention & they never said, "Sorry," "Get bent," or anything. Only made excuses for being out of the office. This could be the final straw for me using them for primary online banking.



--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk