On 4/10/2014 3:07 PM, g wrote:
On 04/10/14 20:54, Ian Malone wrote:
On 10 April 2014 14:57, Tim ignored_mailbox@yahoo.com.au wrote:
Allegedly, on or about 10 April 2014, Patrick O'Callaghan sent:
Did you also change your passwords on every vulnerable site which has since been fixed?
That will be a major pain. The one address offered to check whether a service was patched was overloaded when I tried it, and probably always will be. So you go around changing all passwords, to be safe. And will have to continue doing that until you're sure that it's safe (which is never, really).
See http://www.theatlantic.com/technology/archive/2014/04/how-to-check-if-a-site...
for a couple of sites that can be used to test, there are probably others.
I wonder what the outcome will be if your bank account gets ripped off due to this, for example. Can you hold the bank liable, or are they going to say it's your problem? My simple look at the information provided looks like it's a server and client problem.
Interestingly as the result of one of those test suites I know know that although one of the banks I use doesn't currently have the heartbleed bug they do have a different problematic vulnerability, and will shortly be getting an email about it.
above link gave 2 test sites. 1st gave no response, 2nd gave a grade of 'B' and said site i was checking was not not vulnerable to heartbleed attack.
all of which brings to question, if one does not store passwords for critical sites, does it matter?
Does not *the site* store your password?