Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Stan Hoeppner <stan@hardwarefreak.com>]

On 4/13/2014 10:03 PM, Chris Bannister wrote:
...
> considering it is a catastrophe worse than the Y2K bug.  

This is several orders of magnitude less severe than Y2K.

> It seems very likely that people are using compromised apps on their
> smartphone and you'd think it would be advisable to warn people ASAP!

OpenSSL is a library, not an 'app'.

> Not even an email from the bank! 

Many/most financial institutions disdain open source software and would
much rather pay for proprietary commercial solutions so there is someone
to sue and recover damages when things go tits up.

Most financial institutions tend to run operations on IBM or clone
mainframes.  Thus they'll likely be using IBM's mainframe
implementations of SSL/TLS, or a commercial front end termination
device, neither of which are likely affected by this CVE which is for a
few specific version of OpenSSL only.

> Then there is also the very serious issue of embedded devices using
> openssl. Tablets, smartphones, routers, ... etc. etc. 

This problem only exists *if* these devices connect to a compromised or
rogue host via SSL/TLS *and* the user hasn't reset and or deleted
locally cached usernames and passwords.

So, no, definitely not on the impact scale of Y2K.  That affected
*everyone* whereas this does not.  Anyone using an MS Windows PC, which
is the majority of the planet, whose financial institutions do not use
OpenSSL, are entirely safe from this bug.

The *nix community is going ape shit over this not because of bank
accounts potentially getting drained, but because so many
command/control systems of the Internet backbone are vulnerable to
leaking encryption keys, potentially allowing any cracker access to them.

Cheers,

Stan