On Apr 10, 2014 12:22 AM, "Felipe Vieira" <fmv1...@gmail.com> wrote: > > So going back to the original question as I can see there is no disagreement on its importance: > 1) What are the consequences to the ordinary user? > All the news are lacking information on that. Can you point relevant examples?
Any service using a vulnerable version of OpenSSL in the last two years could have been silently attacked, with the attackers being able to gain access to information stored in the servers memory. The attacker might get memory containing empty sections, boring system files, secret cryptographic keys (the compromise of which could, in some cases, lead to user data being decrypted or a MITM being possible with no warnings), user data, etc. Its not clear of any bad guys knew about the bug prior to the announcement. If they didn't and one patched any affected servers as soon as possible, then the effects would be quite minimal. If they did know and exploited things, or if one has not yet patched vulnerable systems, things could be very bad. In short: the consequences could be dire but there is no way of knowing for certain what, if any, things have been compromised. Its probably best to assume the worst. > All I could gather is that the only major/well known server to be compromised was Yahoo. Yahoo fixed the issue shortly after the public announcement of the bug. It is not clear of bad guys were able to compromise their systems before it was fixed, but researchers were able to successfully probe various systems at Yahoo prior to the fix, so one should assume bad guys could do the same. > For example: Gmail and Dropbox and Hotmail seem to be imune to this. I also found out that Mozilla/Firefox browser were also imune. If I would persuade someone of this bug's importance, which other examples could I give? No service using an affected version of OpenSSL is immune. Some (like Cloudflare) received advanced notice and patched their systems before the public announcement, while others may have used other SSL libraries or versions of OpenSSL that were not vulnerable. > 2) (specific question) Does Firefox use openssl to connect to some servers while browsing? No. Firefox is immune because it uses the NSS Crypto library. The issue typically exists on and affects servers. A server using an affected version of OpenSSL is vulnerable regardless of what browser clients use. > 3) How about Ubuntu and other OSs? Do they use openssl to update themselves? (as in "apt-get update && apt-get upgrade"). Ubuntu and Debian use GnuPG to sign packages but updates typically take place over unencrypted connections. The update mechanism is not affected by this bug. Cheers! -Pete
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
