OT: Heartbleed, OpenSSL vulnerability

[Fairlight]

On Sun, Apr 13, 2014 at 04:46:44PM -0400, J. P. Radley thus spoke:
>         https://lastpass.com/heartbleed/

That testing is near-useless, and also a Really Bad Idea[tm] to use.

1) I tried it against my own VPS, which I -know- to be patched with a safe
version of OpenSSL.  It couldn't even give me a definitive answer other
than it's using OpenSSL but -might- be using a safe version.

2) It calls a perfectly valid Comodo certificate "possibly unsafe".

3) The total assessment said it's unclear.

4) The results pop up staggered, and it does indeed appear to be a
real-time test.  The issue with trying this against sites you don't own is
that you're essentially attempting unauthorised access to a computing
system you do not own - a felony in many jurisdictions.  This is why
penetration testing services have you sign off that you own the systems
you're testing.

This is -not- cool.  Besides being shoddily implemented, it's legally
questionable, at best.

mark->
-- 
Audio panton, cogito singularis.