[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My fellow (Debian) Linux users ...

Heads up, guys!

On Mon, Apr 14, 2014 at 9:05 AM, Richard Hector <richard@walnut.gen.nz> wrote:
On 13/04/14 23:43, Curt wrote:
> On 2014-04-13, Eduardo M KALINOWSKI <eduardo@kalinowski.com.br> wrote:
>> On 20h20 12 de Abril de 2014, Steve Litt wrote:
>>> I'm changing every password: That's about 100 of them.
>> That's a good thing to do, but only after the server has patched
>> openssl and changed its certificate. Otherwise someone could have
>> captured the private key and other information that could be used to
>> eavesdrop your newly changed password.
> This online tester:
> http://possible.lv/tools/hb/
> provides this sort of output in the critical case:

I have 2 significant issues with all these online testers.

Firstly, they generally actively exploit the bug, which is probably
illegal in most jurisdictions - at least if you're using it on a server
that isn't yours.

Secondly - do you know who runs it? I don't. If I wanted to harvest a
bunch of potentially vulnerable sites, setting up a test site is how I'd
do it ...


Thank you, Richard, for expressing that better than I could.

Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.

Reply to: