[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
From: Joe Btfsplk <joebtfsplk@xxxxxxx>
Date: Wed, 09 Apr 2014 16:13:14 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 09 Apr 2014 17:27:12 -0400
In-reply-to: <CAMnnSdjpcDbYb-x3BOs5gPtzwm4H3jGEOMpcK_iJhtdaWzURDg@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CAEzaO-X2-_+uDdxpi3XqXWLCG6PAHTKMASLZWz3pMMZFQ2_DDQ@xxxxxxxxxxxxxx> <CAD2Ti29Fi7_ASyZVOewCQEYptUa=qnhMZwBs3=0UX3FBoXGKaQ@xxxxxxxxxxxxxx> <53443999.2090906@xxxxxxx> <CAD2Ti2-r1MSybobmk9eZuhgB+O5kO2xtnD74U4HVLtpRkVLTVQ@xxxxxxxxxxxxxx> <53447721.9070209@xxxxxxx> <53457BE8.4020500@xxxxxxx> <CAMnnSdjpcDbYb-x3BOs5gPtzwm4H3jGEOMpcK_iJhtdaWzURDg@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0

On 4/9/2014 12:36 PM, Andrew F wrote:

Would be interesting if someone created an app to test for the problem and
then published which big websites are slow to upgrade.
that would certainly be good for consumers.

Well, one website sorta has. They seem to have more extensive testingfor overall security procedures, not just the heartbleed bug.

https://www.ssllabs.com/ssltest/analyze.html
They give a rating for sites in areas like

- following best practices for server security (based on their ownpublished guide)

- heartbleed vulnerability
- type ciphers used
- whether they use forward secrecy

They list a few of most recent sites tested, under several categories;certainly not extensive.It would be interesting to see how long it took sites to fix this issue,but wouldn't the process have needed to start very early after it wasannounced?I too think avg consumers could benefit from seeing websites "safetyratings," but that's a moving target. Seems it'd need updatingconstantly. Which I guess could be done.

Using SSLlabs.com & some others to confirm findings, I was quickly ableto determine that most banks - large & small - already installed theopenSSL patch, much earlier on Tues. - possibly on Mon.Where this smaller bank w/ a fair number of regional branches that Iuse, still had not upgraded OpenSSL as of midday on Wed 4/9.

The manager / VP in charge of their computer operations didn't reply tomy email informing him of the continued problem, until... I sent afollow up to the bank COO, that the problem was still unresolved as of4/9/14. Funny how that works.The followup reminding them both that they were putting themselves &customers at risk; from being so slow to implement the patch compared tocomparable businesses, from not warning customers of the issue & by notstopping customers from logging in (potentially exposing passwords &critical data), until sufficient fixes were in place.

This may be a good thing to find out general practices. They've beenslow about past, immediate security issues, which I brought to theirattention & they never said, "Sorry," "Get bent," or anything.Only made excuses for being out of the office. This could be the finalstraw for me using them for primary online banking.




--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
  - From: grarpamp
- Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
  - From: Joe Btfsplk
- Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
  - From: grarpamp
- Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
  - From: Joe Btfsplk
- Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
  - From: Joe Btfsplk
- Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
  - From: Andrew F

Prev by Author: Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Next by Author: Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Previous by thread: Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Next by thread: Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Index(es):
- Author
- Thread