On 4/13/2014 10:03 PM, Chris Bannister wrote: ... > considering it is a catastrophe worse than the Y2K bug.
This is several orders of magnitude less severe than Y2K. > It seems very likely that people are using compromised apps on their > smartphone and you'd think it would be advisable to warn people ASAP! OpenSSL is a library, not an 'app'. > Not even an email from the bank! Many/most financial institutions disdain open source software and would much rather pay for proprietary commercial solutions so there is someone to sue and recover damages when things go tits up. Most financial institutions tend to run operations on IBM or clone mainframes. Thus they'll likely be using IBM's mainframe implementations of SSL/TLS, or a commercial front end termination device, neither of which are likely affected by this CVE which is for a few specific version of OpenSSL only. > Then there is also the very serious issue of embedded devices using > openssl. Tablets, smartphones, routers, ... etc. etc. This problem only exists *if* these devices connect to a compromised or rogue host via SSL/TLS *and* the user hasn't reset and or deleted locally cached usernames and passwords. So, no, definitely not on the impact scale of Y2K. That affected *everyone* whereas this does not. Anyone using an MS Windows PC, which is the majority of the planet, whose financial institutions do not use OpenSSL, are entirely safe from this bug. The *nix community is going ape shit over this not because of bank accounts potentially getting drained, but because so many command/control systems of the Internet backbone are vulnerable to leaking encryption keys, potentially allowing any cracker access to them. Cheers, Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/534b8648.1000...@hardwarefreak.com