Heartbleed attack on Openssl
Christopher J. Walters
cwal989 at comcast.net
Thu Apr 10 22:33:15 CEST 2014
On 4/9/2014 11:13 PM, Robert J. Hansen wrote:
>> Thanks everyone for the quick and complete feedback. New questions arose:
>
> Again, you will have better luck asking on an OpenSSL mailing list.
> There is no guarantee that anyone on this mailing list is an expert in
> OpenSSL.
I, for one, admit that I am not an expert on OpenSSL. *IF* I were, I would be
posting on the OpenSSL mailing lists about the bug.
I doubt that ANYONE, including the OpenSSL community and developers know just
how serious this bug has compromised the general security of the Internet, or
what sites were actually (not theoretically could be) compromised. There is
just not enough information to make any definitive statements on that issue,
and there probably never will be given all of the other bugs (known and
unknown) that can compromise a server's security.
As for regular users, from what I've read, there is really no additional risk
to what you face from spyware, keyloggers, other malware and upstream bugs.
That is UNLESS you either use a vulnerable version of OpenSSL with a data
storage / encryption application to store site user names and passwords, credit
/ debit card information, etc., or you run a server on your system that has a
vulnerable version of OpenSSL.
In any case, I have to agree with you, Robert, the best place for information
is the official heartbleed site and the OpenSSL mailing lists.
More information about the Gnupg-users
mailing list