[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL



On 4/9/2014 12:57 PM, Joe Btfsplk wrote:
On 4/8/2014 5:24 PM, Joe Btfsplk wrote:
On 4/8/2014 4:25 PM, grarpamp wrote:

https://blog.torproject.org/ covers what to do for Tor things.
.snip.
http://s3.jspenguin.org/ssltest.py
https://gist.github.com/takeshixx/10107280
https://github.com/FiloSottile/Heartbleed
https://www.ssllabs.com/ssltest/index.html
(Note, this is a TLS in process bug, so more than HTTP/S services are
affected...)

This bug will no doubt trigger some thinking, analysis and change in
the services,
security, infrastructure and user communites... that's a good thing.
Thanks.  Adding one more heartbleed vulnerability site I tried:
http://rehmann.co/projects/heartbeat/?domain=
.snip.
UPDATE:  Users should not assume that by now, their bank / other HTTPS sites
have patched the OpenSSL software.
Use one of the check sites, to see if a domain / server is still vulnerable to
heartbleed bug.

As of late morning, 4/9/14, one of my banks (takes > 1 to hold all my $ :D)
still hasn't patched it.

They have no warning on their site about it & apparently aren't restricting
user login to access acct info or online bill pay.

They're not cautioning users to be alert for suspicious activity in their acct.

It seems no one wants to talk or hear about this issue. It is not being reported on media sites or anywhere else, other than the Heartbleed site, and the OpenSSL lists.

This bug has been a known issue for about 2 years, and we are only now learning about it. Not from banking, credit card, or shopping sites, nor from most news sites (the reports I've seen on news sites tend to downplay the scope and severity of the problem altogether, or simply say, "It's fixed"). Saying "it's fixed", is far from true.

It makes me wonder if the NSA was involved in inserting this bug into OpenSSL clients and servers.
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk