Hi, On Wed, May 7, 2014 at 7:38 PM, Erik Christiansen <dvalin@internode.on.net>wrote:
On 07.05.14 00:34, Andrew McGlashan wrote:
Apparently the Commonwealth Bank was effected, but they claim that only the main website was vulnerable, not Netbank -- can you trust them? I think NOT! Banks do NOT care about security as much as they need to; why do you think tap-and-pay systems are so good for them ... it's because the RETAILER takes ALL the risk whilst the bank takes NO RISK at all.
Is there any evidence for any of those assertions?
That bank cared enough about security to _insist_ on sending a security dongle when a substantial netbank account was opened - they did not wish to accept liability for loss of that amount of funds without the extra security provision.
Thats where it got/gets tricky.
The dongle was / could have been "keyed" off the private cert of the domain...perhaps? The bank will not...ever publish the detail...but CloudFlare threw out a challenge the first weekend after "Nosebleed" was made public knowledge. It was "Can you gain access to a private key via the flaw?" http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge ans=yes and it only took a couple of hours. So...if a private key was able to be gained...then the smart assumption would have to be that everything else that relied on it had already/or could be compromised if it was/si not replaced. Best most succinct description of the flaw I have seen is here: http://xkcd.com/1354/ The CF challenge proved that a private key was vulnerable via this flaw. To date, cert revocations have been very slow...big players quick...lesser players still dragging their heels: http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-w... (and if you follow the links on that you will find that they are tracking revocation rates,,,which have been abysmally slow) This issue is not over by any means... kudos2 to RC for the highlite! This issue is and should still be BIG News! BW