[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

[Christopher J. Walters]

On 4/9/2014 12:57 PM, Joe Btfsplk wrote:
> On 4/8/2014 5:24 PM, Joe Btfsplk wrote:
>> On 4/8/2014 4:25 PM, grarpamp wrote:
>>>
>>> https://blog.torproject.org/ covers what to do for Tor things.
.snip.
>>> http://s3.jspenguin.org/ssltest.py
>>> https://gist.github.com/takeshixx/10107280
>>> https://github.com/FiloSottile/Heartbleed
>>> https://www.ssllabs.com/ssltest/index.html
>>> (Note, this is a TLS in process bug, so more than HTTP/S services are
>>> affected...)
>>>
>>> This bug will no doubt trigger some thinking, analysis and change in
>>> the services,
>>> security, infrastructure and user communites... that's a good thing.
>> Thanks.  Adding one more heartbleed vulnerability site I tried:
>> http://rehmann.co/projects/heartbeat/?domain=
.snip.
> UPDATE:  Users should not assume that by now, their bank / other HTTPS sites
> have patched the OpenSSL software.
> Use one of the check sites, to see if a domain / server is still vulnerable to
> heartbleed bug.
>
> As of late morning, 4/9/14, one of my banks (takes > 1 to hold all my $ :D)
> still hasn't patched it.
>
> They have no warning on their site about it & apparently aren't restricting
> user login to access acct info or online bill pay.
>
> They're not cautioning users to be alert for suspicious activity in their acct.

It seems no one wants to talk or hear about this issue.  It is not being 
reported on media sites or anywhere else, other than the Heartbleed site, and 
the OpenSSL lists.

This bug has been a known issue for about 2 years, and we are only now learning 
about it.  Not from banking, credit card, or shopping sites, nor from most news 
sites (the reports I've seen on news sites tend to downplay the scope and 
severity of the problem altogether, or simply say, "It's fixed").  Saying "it's 
fixed", is far from true.

It makes me wonder if the NSA was involved in inserting this bug into OpenSSL 
clients and servers.