[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssl/libssl1 in Debian now blocks offlineimap?

On Fri, Aug 18, 2017 at 10:07:49PM +0200, Tollef Fog Heen wrote:
> ]] Adrian Bunk 
> The PCI consortium extended the deadline until June
> 2018.  Assuming that deadline holds, people with older machines will not
> be able to access services such as online banking or pay online in
> general.

That's wrong.

Think of the "TLS 1.2 not working with WPA" discussed earlier here that 
might still affect half a billion active Android devices at the buster
release date.[1]

The online banking app running on such a device will support TLS 1.2

The PayPal app currently requires Android >= 4.0.3, released in 2011.

> ... but they're pragmatic.
> As they write in their press release: “…in the field a lot of business
> issues surfaced…” said Stephen Orfei, General Manager, PCI SSC. “We want
> merchants protected against data theft but not at the expense of turning
> away business, ...


It is permitted to run your online banking app on an Android device 
with a 5 year old firmware with no security updates ever available.

> to make sure any users on platforms where support for that is
> lacking get a proper notification and a chance to move to something
> newer.

Imagine Debian running on the AP providing the WiFi for a Cafe.

What you are saying is that the staff working at the Cafe should explain 
to their customers that they have to buy a new phone if they want to use 
the WiFi.


[1] I haven't investigated how widespread this specific problem 
    actually is, or whether it can be mitigated - the point is that
    it is unrelated to TLS versions supported by PayPal or online 
    banking apps running on the device


       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to: