HN2new | past | comments | ask | show | jobs | submitlogin

If someone builds this, please do not make the client actively poll the sites visited. Doing so seems likely, IMHO, to land you or even your users in jail for Computer Fraud and Abuse violations (e.g. someone visiting healthcare.gov).

https://en.wikipedia.org/wiki/Morris_worm

If you do this, reference a centralized list/registry. Don't risk the reputations of your users.



The fraud is that these vulnerable sites are risking their users' private data, while pretending they are not.


Security is a best effort thing. Get used to it. Make note of which providers fell short here and act accordingly. Questions?


Imprisoning users who check for the vulnerability doesn't seem like a best effort. It also doesn't seem likely.


I see you're conflating my arguments. Anyway, I'll upvote you and step aside.

Edit: On second thought. Go ahead and conflate them. As I said, don't risk the reputations of your users. That goes for everyone.


Right but exploiting Heartbleed to dump memory of the target webserver is most likely "unauthorized use of a computer system" and thus in violation of the CFAA.


Can't you just check if heartbeat is enabled and poll what version of library is used? If no, could you check by setting the payload size lower than the payload? That way you know the site is vulnerable without receiving anything you shouldn't have received.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: