[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

Joe Btfsplk joebtfsplk at gmx.com
Wed Apr 9 21:13:14 UTC 2014 

On 4/9/2014 12:36 PM, Andrew F wrote:
> Would be interesting if someone created an app to test for the problem and
> then published which big websites are slow to upgrade.
> that would certainly be good for consumers.
Well, one website sorta has.  They seem to have more extensive testing 
for overall security procedures, not just the heartbleed bug.
https://www.ssllabs.com/ssltest/analyze.html
They give a rating for sites in areas like
- following best practices for server security (based on their own 
published guide)
- heartbleed vulnerability
- type ciphers used
- whether they use forward secrecy

They list a few of most recent sites tested, under several categories; 
certainly not extensive.
It would be interesting to see how long it took sites to fix this issue, 
but wouldn't the process have needed to start very early after it was 
announced?
I too think avg consumers could benefit from seeing websites "safety 
ratings," but that's a moving target.  Seems it'd need updating 
constantly.  Which I guess could be done.

Using SSLlabs.com & some others to confirm findings, I was quickly able 
to determine that most banks - large & small - already installed the 
openSSL patch, much earlier on Tues. - possibly on Mon.
Where this smaller bank w/ a fair number of regional branches that I 
use, still had not upgraded OpenSSL as of midday on Wed 4/9.

The manager / VP in charge of their computer operations didn't reply to 
my email informing him of the continued problem, until... I sent a 
follow up to the bank COO, that the problem was still unresolved as of 
4/9/14.  Funny how that works.
The followup reminding them both that they were putting themselves & 
customers at risk; from being so slow to implement the patch compared to 
comparable businesses, from not warning customers of the issue & by not 
stopping customers from logging in (potentially exposing passwords & 
critical data), until sufficient fixes were in place.

This may be a good thing to find out general practices.  They've been 
slow about past, immediate security issues, which I brought to their 
attention & they never said, "Sorry," "Get bent," or anything.
Only made excuses for being out of the office.  This could be the final 
straw for me using them for primary online banking.

More information about the tor-talk mailing list