Heads up, guys! On Mon, Apr 14, 2014 at 9:05 AM, Richard Hector <rich...@walnut.gen.nz>wrote:
> On 13/04/14 23:43, Curt wrote: > > On 2014-04-13, Eduardo M KALINOWSKI <edua...@kalinowski.com.br> wrote: > >> On 20h20 12 de Abril de 2014, Steve Litt wrote: > >>> I'm changing every password: That's about 100 of them. > >> > >> That's a good thing to do, but only after the server has patched > >> openssl and changed its certificate. Otherwise someone could have > >> captured the private key and other information that could be used to > >> eavesdrop your newly changed password. > > > > This online tester: > > > > http://possible.lv/tools/hb/ > > > > provides this sort of output in the critical case: > > I have 2 significant issues with all these online testers. > > Firstly, they generally actively exploit the bug, which is probably > illegal in most jurisdictions - at least if you're using it on a server > that isn't yours. > > Secondly - do you know who runs it? I don't. If I wanted to harvest a > bunch of potentially vulnerable sites, setting up a test site is how I'd > do it ... > > Richard Thank you, Richard, for expressing that better than I could. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart.
