Hacker Neue

Preferences
skuhn parent
I really disagree with your perspective here, but I do concur that a fast fix is desirable for any impacted site. Notifying impacted sites ahead of public disclosure would have been a better move, and particularly ahead of public shaming and attacker targeting.

While these notifications may have gone out, there is no reference to any such thing on the page. Also: do they plan to update this list? Or are these sites to be shamed forever?

edit: and yes, the lack of a steps-to-fix is unforgivable. This feels like a race to be first rather than a race to responsibly release and resolve the issue all around.

Especially considering that the fix is beyond trivial:

  Apache: SSLCipherSuite ALL:!EXPORT
  nginx: ssl_ciphers 'ALL:!EXPORT'
(although you shouldn't use ALL, this is just an example; use https://mozilla.github.io/server-side-tls/ssl-config-generat... if you don't know what to do)
nadaviv
> Notifying impacted sites ahead of public disclosure would have been a better move

Notifying that many effected websites is practically the same as making it public, and could've resulted in letting attackers know about this before the public (and any effected websites that aren't on your list) knows about it and is able to fix that.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal