On 4/14/2014 5:53 AM, Jochen Spieker wrote: > Stan Hoeppner: >> On 4/13/2014 10:03 PM, Chris Bannister wrote: >> >>> Then there is also the very serious issue of embedded devices using >>> openssl. Tablets, smartphones, routers, ... etc. etc. >> >> This problem only exists *if* these devices connect to a compromised or >> rogue host via SSL/TLS *and* the user hasn't reset and or deleted >> locally cached usernames and passwords. > > That is not the whole truth.
Yes, this is the whole truth. > It has by now been shown that certificates > and private keys were at risk for two years. You are affected by this > bug if your browser (or any other SSL/TLS client) does not properly > check for certificate revocations or if you try to visit a previously > vulnerable system whose certificate was not revoked for some reason. Hence my statement above: "connect to a compromised or rogue host" >> So, no, definitely not on the impact scale of Y2K. That affected >> *everyone* whereas this does not. Anyone using an MS Windows PC, which >> is the majority of the planet, whose financial institutions do not use >> OpenSSL, are entirely safe from this bug. > > No. This applies to everyone who is using sites that previously used a > vulnerable version of OpenSSL. Since I generally cannot know which > software is used by a specific site, I tend to go as far as concluding > that any certificate from before 2014-04-08 may be stolen. Intentionally quoting me out of context and then attempting to "correct" my factual statements, without adding anything constructive to the thread. That's trolling. > BTW, you shouldn't focus only on banks either. There are a lot of > popular services that use free software a lot, some of which happen to > include payment functionality. I did not "focusing on banks". I replied to Chris Bannister's statement regarding *his bank*, which you snipped, again intentionally deleting context in order to be a contradictarian. Might have to add you to the kill file... Cheers, Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534bc714.4040...@hardwarefreak.com
