> What versions of the OpenSSL are affected? > > Status of different versions: > > OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable > OpenSSL 1.0.1g is NOT vulnerable > OpenSSL 1.0.0 branch is NOT vulnerable > OpenSSL 0.9.8 branch is NOT vulnerable >
The media is making 'large waves' on this, but I do not think that they are communicating the correct/complete information. If a website you use is vunerable, then it is possible that memory space of the OpenSSL task has been scraped to get private SSL key and any information held in memory. If we assume that this bug was unknown until Monday and you haven't used the website recently it is unlike that your information is in memory, private SSL key however will most likely be. We can be certain that many private keys are currently being scraped. Changing your password on a vunerable system will just make the situation worse for you as an individual, wait until after the website has been patched AND only communicate if the SSL cert has been renewed. If the SSL cert of a previously vunerable website is not renewed, there is a increased possibility that you are being phished.... The bigger question going forward, is how the public knows whether or not to trust _ANY_ SSL cert which has not been generated in past few days? Simon. _______________________________________________ clug-talk mailing list clug-talk@clug.ca http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
