Should have added that via the Netcraft link above that this link, which provides up2date info: http://toolbar.netcraft.com/site_report?url=https://www.commbank.com.au
Has this: Heartbleed revocation The certificate offered on www.commbank.com.au before the Heartbleed announcement has *not yet been revoked*. SerialCommon Name(s)Normally ExpiresCRL revocation statusCRLSet revocation status0x5e9f33e7cfb02a58043266c2be468feewww.commbank.com.au2014-06-05not revokednot revoked Revocation information last updated 2014-05-06 18:00 GMT. BIG and very IMPORTANT FAIL! BW On Wed, May 7, 2014 at 8:34 PM, Brent Wallis <[email protected]> wrote: > Hi, > > On Wed, May 7, 2014 at 7:38 PM, Erik Christiansen <[email protected] > > wrote: > >> On 07.05.14 00:34, Andrew McGlashan wrote: >> > Apparently the Commonwealth Bank was effected, but they claim that >> > only the main website was vulnerable, not Netbank -- can you trust >> > them? I think NOT! Banks do NOT care about security as much as they >> > need to; why do you think tap-and-pay systems are so good for them ... >> > it's because the RETAILER takes ALL the risk whilst the bank takes NO >> > RISK at all. >> >> Is there any evidence for any of those assertions? >> >> That bank cared enough about security to _insist_ on sending a security >> dongle when a substantial netbank account was opened - they did not >> wish to accept liability for loss of that amount of funds without the >> extra security provision. >> >> Thats where it got/gets tricky. > > The dongle was / could have been "keyed" off the private cert of the > domain...perhaps? > The bank will not...ever publish the detail...but > CloudFlare threw out a challenge the first weekend after "Nosebleed" was > made public knowledge. > It was "Can you gain access to a private key via the flaw?" > > http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge > > ans=yes and it only took a couple of hours. > > So...if a private key was able to be gained...then the smart assumption > would have to be that everything else that relied on it had already/or > could be compromised if it was/si not replaced. > > Best most succinct description of the flaw I have seen is here: > > http://xkcd.com/1354/ > > The CF challenge proved that a private key was vulnerable via this flaw. > > To date, cert revocations have been very slow...big players quick...lesser > players still dragging their heels: > > > http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html > (and if you follow the links on that you will find that they are tracking > revocation rates,,,which have been abysmally slow) > > This issue is not over by any means... kudos2 to RC for the highlite! > This issue is and should still be BIG News! > > BW >
_______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
