[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

On 4/14/2014 5:53 AM, Jochen Spieker wrote:
> Stan Hoeppner:
>> On 4/13/2014 10:03 PM, Chris Bannister wrote:
>>> Then there is also the very serious issue of embedded devices using
>>> openssl. Tablets, smartphones, routers, ... etc. etc. 
>> This problem only exists *if* these devices connect to a compromised or
>> rogue host via SSL/TLS *and* the user hasn't reset and or deleted
>> locally cached usernames and passwords.
> That is not the whole truth. 

Yes, this is the whole truth.

> It has by now been shown that certificates
> and private keys were at risk for two years. You are affected by this
> bug if your browser (or any other SSL/TLS client) does not properly
> check for certificate revocations or if you try to visit a previously
> vulnerable system whose certificate was not revoked for some reason.

Hence my statement above:  "connect to a compromised or rogue host"

>> So, no, definitely not on the impact scale of Y2K.  That affected
>> *everyone* whereas this does not.  Anyone using an MS Windows PC, which
>> is the majority of the planet, whose financial institutions do not use
>> OpenSSL, are entirely safe from this bug.
> No. This applies to everyone who is using sites that previously used a
> vulnerable version of OpenSSL. Since I generally cannot know which
> software is used by a specific site, I tend to go as far as concluding
> that any certificate from before 2014-04-08 may be stolen.

Intentionally quoting me out of context and then attempting to "correct"
my factual statements, without adding anything constructive to the
thread.  That's trolling.

> BTW, you shouldn't focus only on banks either. There are a lot of
> popular services that use free software a lot, some of which happen to
> include payment functionality.

I did not "focusing on banks".  I replied to Chris Bannister's statement
regarding *his bank*, which you snipped, again intentionally deleting
context in order to be a contradictarian.

Might have to add you to the kill file...



Reply to: