Re: openssl/libssl1 in Debian now blocks offlineimap?

To: debian-devel@lists.debian.org
Subject: Re: openssl/libssl1 in Debian now blocks offlineimap?
From: Adrian Bunk <bunk@debian.org>
Date: Sun, 20 Aug 2017 12:23:36 +0300
Message-id: <[🔎] 20170820092336.ebieeclimwqc2fbm@localhost>
In-reply-to: <[🔎] 87d17siqqy.fsf@err.no>
References: <20170814190938.td4vhyq5rqmmxlrw@shelf.conquest> <20170814200540.qunn4exfhwgnubio@roeckx.be> <20170815102826.GA2738@vidovic.ultras.lan> <[🔎] 20170815134905.uzhmjjsdifo6zky5@burischnitzel.preining.info> <[🔎] 20170815150449.tjfsf5g2pp4odv5q@roeckx.be> <[🔎] 20170815162616.xudlxhuihtmpe67w@localhost> <[🔎] 87d17siqqy.fsf@err.no>

On Fri, Aug 18, 2017 at 10:07:49PM +0200, Tollef Fog Heen wrote:
> ]] Adrian Bunk 
>... 
> The PCI consortium extended the deadline until June
> 2018.  Assuming that deadline holds, people with older machines will not
> be able to access services such as online banking or pay online in
> general.

That's wrong.

Think of the "TLS 1.2 not working with WPA" discussed earlier here that 
might still affect half a billion active Android devices at the buster
release date.[1]

The online banking app running on such a device will support TLS 1.2

The PayPal app currently requires Android >= 4.0.3, released in 2011.

> ... but they're pragmatic.
> As they write in their press release: “…in the field a lot of business
> issues surfaced…” said Stephen Orfei, General Manager, PCI SSC. “We want
> merchants protected against data theft but not at the expense of turning
> away business, ...

Corollary:

It is permitted to run your online banking app on an Android device 
with a 5 year old firmware with no security updates ever available.

>...
> to make sure any users on platforms where support for that is
> lacking get a proper notification and a chance to move to something
> newer.
>...

Imagine Debian running on the AP providing the WiFi for a Cafe.

What you are saying is that the staff working at the Cafe should explain 
to their customers that they have to buy a new phone if they want to use 
the WiFi.

cu
Adrian

[1] I haven't investigated how widespread this specific problem 
    actually is, or whether it can be mitigated - the point is that
    it is unrelated to TLS versions supported by PayPal or online 
    banking apps running on the device

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

Follow-Ups:
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Sven Hartge <sven@svenhartge.de>
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Tollef Fog Heen <tfheen@err.no>

References:
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Norbert Preining <norbert@preining.info>
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Adrian Bunk <bunk@debian.org>
- Re: openssl/libssl1 in Debian now blocks offlineimap?
  - From: Tollef Fog Heen <tfheen@err.no>

Prev by Date: Bug#872697: ITP: node-unicode-10.0.0 -- Unicode data for Node.js
Next by Date: Re: openssl/libssl1 in Debian now blocks offlineimap?
Previous by thread: Re: openssl/libssl1 in Debian now blocks offlineimap?
Next by thread: Re: openssl/libssl1 in Debian now blocks offlineimap?
Index(es):
- Date
- Thread