[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
On 4/9/2014 12:36 PM, Andrew F wrote:
Well, one website sorta has. They seem to have more extensive testing
for overall security procedures, not just the heartbleed bug.
Would be interesting if someone created an app to test for the problem and
then published which big websites are slow to upgrade.
that would certainly be good for consumers.
They give a rating for sites in areas like
- following best practices for server security (based on their own
- heartbleed vulnerability
- type ciphers used
- whether they use forward secrecy
They list a few of most recent sites tested, under several categories;
certainly not extensive.
It would be interesting to see how long it took sites to fix this issue,
but wouldn't the process have needed to start very early after it was
I too think avg consumers could benefit from seeing websites "safety
ratings," but that's a moving target. Seems it'd need updating
constantly. Which I guess could be done.
Using SSLlabs.com & some others to confirm findings, I was quickly able
to determine that most banks - large & small - already installed the
openSSL patch, much earlier on Tues. - possibly on Mon.
Where this smaller bank w/ a fair number of regional branches that I
use, still had not upgraded OpenSSL as of midday on Wed 4/9.
The manager / VP in charge of their computer operations didn't reply to
my email informing him of the continued problem, until... I sent a
follow up to the bank COO, that the problem was still unresolved as of
4/9/14. Funny how that works.
The followup reminding them both that they were putting themselves &
customers at risk; from being so slow to implement the patch compared to
comparable businesses, from not warning customers of the issue & by not
stopping customers from logging in (potentially exposing passwords &
critical data), until sufficient fixes were in place.
This may be a good thing to find out general practices. They've been
slow about past, immediate security issues, which I brought to their
attention & they never said, "Sorry," "Get bent," or anything.
Only made excuses for being out of the office. This could be the final
straw for me using them for primary online banking.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to