Should have added that via the Netcraft link above that this link, which provides up2date info:

http://toolbar.netcraft.com/site_report?url=https://www.commbank.com.au

Has this:

Heartbleed revocation

The certificate offered on www.commbank.com.au before the Heartbleed announcement has not yet been revoked.

Serial	Common Name(s)	Normally Expires	CRL revocation status	CRLSet revocation status
`0x5e9f33e7cfb02a58043266c2be468fee`	www.commbank.com.au	2014-06-05	not revoked	not revoked

Revocation information last updated 2014-05-06 18:00 GMT.

BIG and very IMPORTANT FAIL!

On Wed, May 7, 2014 at 8:34 PM, Brent Wallis <brent.wallis@gmail.com> wrote:

Hi,

On Wed, May 7, 2014 at 7:38 PM, Erik Christiansen <dvalin@internode.on.net> wrote:

On 07.05.14 00:34, Andrew McGlashan wrote:
> Apparently the Commonwealth Bank was effected, but they claim that
> only the main website was vulnerable, not Netbank -- can you trust
> them? I think NOT! Banks do NOT care about security as much as they
> need to; why do you think tap-and-pay systems are so good for them ...
> it's because the RETAILER takes ALL the risk whilst the bank takes NO
> RISK at all.

Is there any evidence for any of those assertions?

That bank cared enough about security to _insist_ on sending a security
dongle when a substantial netbank account was opened - they did not
wish to accept liability for loss of that amount of funds without the
extra security provision.

Thats where it got/gets tricky.

The dongle was / could have been "keyed" off the private cert of the domain...perhaps?
The bank will not...ever publish the detail...but

CloudFlare threw out a challenge the first weekend after "Nosebleed" was made public knowledge.
It was "Can you gain access to a private key via the flaw?"

http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge

ans=yes and it only took a couple of hours.

So...if a private key was able to be gained...then the smart assumption would have to be that everything else that relied on it had already/or could be compromised if it was/si not replaced.

Best most succinct description of the flaw I have seen is here:

http://xkcd.com/1354/

The CF challenge proved that a private key was vulnerable via this flaw.

To date, cert revocations have been very slow...big players quick...lesser players still dragging their heels:

http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html

(and if you follow the links on that you will find that they are tracking revocation rates,,,which have been abysmally slow)

This issue is not over by any means... kudos2 to RC for the highlite!

This issue is and should still be BIG News!

BW