Hi Michael, Thanks very much for replying to my e-mail/post. I apologize for the lateness of my reply.
> This is not true in the general case. There are applications which are > available on Linux which do not use the distribution's package manager. There > are applications which use their own OpenSSL build, possibly linked > statically or linked into one of their own shared objects or with the OpenSSL > shared objects renamed. Linux distributions have not magically solved the > problem of keeping all software on the system current. That's disheartening. My next computer will be running Linux and I was thinking that (as long as I stick to installing software from appropriate repositories) my update worries would be over soon. >It is possible, with relatively little effort, to find all the copies of the >OpenSSL DLLs under their usual names on a system Could you please provide me with a list of the usual names? I've got a lot of libssl DLL's on my system, but I'm not sure if they're part of OpenSSL or some other implementation of SSL. >I'm not sure OpenSSL versions should be particularly high on anyone's priority >list. As I understand it, OpenSSL is responsible for establishing HTTPS connections, the primary protocol for ensuring security and authenticity over the Internet, and you *don't* think OpenSSL versions should be a high priority? I don't understand your lack of alarm here. >What are you actually trying to accomplish? What's your task? Your threat >model? I want to be able to trust the HTTPS connections between my PC and servers on the Internet again; whether I'm using a browser, a software installer (that downloads data from the Internet before installing), a peer-to-peer application, or any other network application. Thank you for your time. Steven
