Re: openssl/libssl1 in Debian now blocks offlineimap?
On Fri, Aug 18, 2017 at 10:07:49PM +0200, Tollef Fog Heen wrote:
> ]] Adrian Bunk
>...
> The PCI consortium extended the deadline until June
> 2018. Assuming that deadline holds, people with older machines will not
> be able to access services such as online banking or pay online in
> general.
That's wrong.
Think of the "TLS 1.2 not working with WPA" discussed earlier here that
might still affect half a billion active Android devices at the buster
release date.[1]
The online banking app running on such a device will support TLS 1.2
The PayPal app currently requires Android >= 4.0.3, released in 2011.
> ... but they're pragmatic.
> As they write in their press release: “…in the field a lot of business
> issues surfaced…” said Stephen Orfei, General Manager, PCI SSC. “We want
> merchants protected against data theft but not at the expense of turning
> away business, ...
Corollary:
It is permitted to run your online banking app on an Android device
with a 5 year old firmware with no security updates ever available.
>...
> to make sure any users on platforms where support for that is
> lacking get a proper notification and a chance to move to something
> newer.
>...
Imagine Debian running on the AP providing the WiFi for a Cafe.
What you are saying is that the staff working at the Cafe should explain
to their customers that they have to buy a new phone if they want to use
the WiFi.
cu
Adrian
[1] I haven't investigated how widespread this specific problem
actually is, or whether it can be mitigated - the point is that
it is unrelated to TLS versions supported by PayPal or online
banking apps running on the device
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
Reply to: