Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
On 14/04/14 18:55, Stan Hoeppner wrote:
> On 4/13/2014 10:03 PM, Chris Bannister wrote:
>> considering it is a catastrophe worse than the Y2K bug.
> This is several orders of magnitude less severe than Y2K.
Y2K was extensively predicted, a lot of people did a lot of work to
avoid it, and in the end it wasn't very significant, no? I don't mean it
wasn't a significant amount of work to fix the bugs, I just mean the
final effect wasn't significant. Correct me if I'm wrong.
This one, on the other hand, was generally not predicted, and was widely
exploited before people got a chance to fix it. That's presumably still
>> It seems very likely that people are using compromised apps on their
>> smartphone and you'd think it would be advisable to warn people ASAP!
> OpenSSL is a library, not an 'app'.
And apps use libraries, do they not? What smartphone apps use openssl I
>> Not even an email from the bank!
> Many/most financial institutions disdain open source software and would
> much rather pay for proprietary commercial solutions so there is someone
> to sue and recover damages when things go tits up.
> Most financial institutions tend to run operations on IBM or clone
> mainframes. Thus they'll likely be using IBM's mainframe
> implementations of SSL/TLS, or a commercial front end termination
> device, neither of which are likely affected by this CVE which is for a
> few specific version of OpenSSL only.
Maybe they do, maybe they don't. I would at least hope they'd stick a
notice on their homepage telling us a) whether they're vulnerable and b)
reminding us that if we use the same password on other sites as on the
bank, then firstly we should change it pronto, and secondly we should
start using different passwords, and this is a good example why.
>> Then there is also the very serious issue of embedded devices using
>> openssl. Tablets, smartphones, routers, ... etc. etc.
> This problem only exists *if* these devices connect to a compromised or
> rogue host via SSL/TLS *and* the user hasn't reset and or deleted
> locally cached usernames and passwords.
> So, no, definitely not on the impact scale of Y2K. That affected
> *everyone* whereas this does not. Anyone using an MS Windows PC, which
> is the majority of the planet, whose financial institutions do not use
> OpenSSL, are entirely safe from this bug.
Financial institutions might be safe - social media sites, as I
understand it, generally aren't. I care about that quite a lot too, and
many more people use those than use any one bank.