[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

Stan Hoeppner:
> On 4/13/2014 10:03 PM, Chris Bannister wrote:
>> Then there is also the very serious issue of embedded devices using
>> openssl. Tablets, smartphones, routers, ... etc. etc. 
> This problem only exists *if* these devices connect to a compromised or
> rogue host via SSL/TLS *and* the user hasn't reset and or deleted
> locally cached usernames and passwords.

That is not the whole truth. It has by now been shown that certificates
and private keys were at risk for two years. You are affected by this
bug if your browser (or any other SSL/TLS client) does not properly
check for certificate revocations or if you try to visit a previously
vulnerable system whose certificate was not revoked for some reason.

> So, no, definitely not on the impact scale of Y2K.  That affected
> *everyone* whereas this does not.  Anyone using an MS Windows PC, which
> is the majority of the planet, whose financial institutions do not use
> OpenSSL, are entirely safe from this bug.

No. This applies to everyone who is using sites that previously used a
vulnerable version of OpenSSL. Since I generally cannot know which
software is used by a specific site, I tend to go as far as concluding
that any certificate from before 2014-04-08 may be stolen.

BTW, you shouldn't focus only on banks either. There are a lot of
popular services that use free software a lot, some of which happen to
include payment functionality.

If I am asked 'How are you' more than a million times in my life I
promise to explode.
[Agree]   [Disagree]

Attachment: signature.asc
Description: Digital signature

Reply to: