Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

To: debian-user@lists.debian.org
Subject: Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
From: Stan Hoeppner <stan@hardwarefreak.com>
Date: Mon, 14 Apr 2014 06:31:32 -0500
Message-id: <[🔎] 534BC714.4040905@hardwarefreak.com>
Reply-to: stan@hardwarefreak.com
In-reply-to: <[🔎] 20140414105304.GK21675@well-adjusted.de>
References: <[🔎] 1397328483.609.19.camel@archlinux> <[🔎] 1397329416.609.20.camel@archlinux> <[🔎] 1397331077.609.28.camel@archlinux> <[🔎] CAAr43iM_yExKxuk=-qZ0d7miPDqkiL_0jgWTHp0SBNBYf_O4UA@mail.gmail.com> <[🔎] 1397407039.609.61.camel@archlinux> <[🔎] 20140414030313.GA9681@tal> <[🔎] 534B8648.1000604@hardwarefreak.com> <[🔎] 20140414105304.GK21675@well-adjusted.de>

On 4/14/2014 5:53 AM, Jochen Spieker wrote:
> Stan Hoeppner:
>> On 4/13/2014 10:03 PM, Chris Bannister wrote:
>>
>>> Then there is also the very serious issue of embedded devices using
>>> openssl. Tablets, smartphones, routers, ... etc. etc. 
>>
>> This problem only exists *if* these devices connect to a compromised or
>> rogue host via SSL/TLS *and* the user hasn't reset and or deleted
>> locally cached usernames and passwords.
> 
> That is not the whole truth. 

Yes, this is the whole truth.

> It has by now been shown that certificates
> and private keys were at risk for two years. You are affected by this
> bug if your browser (or any other SSL/TLS client) does not properly
> check for certificate revocations or if you try to visit a previously
> vulnerable system whose certificate was not revoked for some reason.

Hence my statement above:  "connect to a compromised or rogue host"

>> So, no, definitely not on the impact scale of Y2K.  That affected
>> *everyone* whereas this does not.  Anyone using an MS Windows PC, which
>> is the majority of the planet, whose financial institutions do not use
>> OpenSSL, are entirely safe from this bug.
> 
> No. This applies to everyone who is using sites that previously used a
> vulnerable version of OpenSSL. Since I generally cannot know which
> software is used by a specific site, I tend to go as far as concluding
> that any certificate from before 2014-04-08 may be stolen.

Intentionally quoting me out of context and then attempting to "correct"
my factual statements, without adding anything constructive to the
thread.  That's trolling.

> BTW, you shouldn't focus only on banks either. There are a lot of
> popular services that use free software a lot, some of which happen to
> include payment functionality.

I did not "focusing on banks".  I replied to Chris Bannister's statement
regarding *his bank*, which you snipped, again intentionally deleting
context in order to be a contradictarian.

Might have to add you to the kill file...

Cheers,

Stan

Reply to:

Follow-Ups:
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Richard Hector <richard@walnut.gen.nz>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Jochen Spieker <ml@well-adjusted.de>

References:
- My fellow (Debian) Linux users ...
  - From: Ralf Mardorf <ralf.mardorf@rocketmail.com>
- Re: My fellow (Debian) Linux users ...
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
- Re: My fellow (Debian) Linux users ...
  - From: Ralf Mardorf <ralf.mardorf@rocketmail.com>
- Re: My fellow (Debian) Linux users ...
  - From: Joel Rees <joel.rees@gmail.com>
- Re: My fellow (Debian) Linux users ...
  - From: Ralf Mardorf <ralf.mardorf@rocketmail.com>
- Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Chris Bannister <cbannister@slingshot.co.nz>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Stan Hoeppner <stan@hardwarefreak.com>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Jochen Spieker <ml@well-adjusted.de>

Prev by Date: Re: My fellow (Debian) Linux users ...
Next by Date: Re: OpenVPN + Heartbleed question
Previous by thread: Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
Next by thread: Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
Index(es):
- Date
- Thread