On 2014-04-10 16:49, Greg Freemyer wrote:
I don't even know enough yet to implement my own remediation plan, but here's a 3-line example out of it:
1 - change bank online password immediately
Would it not be "not immediately", but after the bank server updates their software? How do we know they updated? Because if we change the password, and they change their software _and_ certificate in, say two weeks time, the bad guys can get our new password during that interval. And we will think we did the right thing and do nothing in months... Further, how do we change our passwords, it the transmission protocol used while you change it, is suspect?
2 - verify bank was either never susceptible to the heartbleed bug, or that they have remediated it. 3 - once 2) is done, change the password again since it may have been breached between steps 1 & 2.
Ugh. :-( -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)