Heartbleed attack on Openssl / Pertinent? I say yes.
Christopher J. Walters
cwal989 at comcast.net
Wed Apr 9 20:35:36 CEST 2014
On 4/9/2014 12:51 PM, Robert J. Hansen wrote:
>> Dear GNUPG community,
> That right there should be your first hint. :)
> This is a great email list to get informed opinions on GnuPG and the
> OpenPGP RFCs, but this may not be a great place to get informed
> commentary on OpenSSL. It's a completely different software package run
> by a completely different outfit.
> You may get better answers if you ask on the OpenSSL mailing lists. :)
You're right in the respect that this list is only for GnuPG and OpenPGP RFC
However, the Heartbleed vulnerability is such a pervasive Internet security
issue that everyone needs to be made aware of it, so that they may become
educated on it. In my experience, the majority of Internet users take for
granted that their Internet banking, shopping, and all other "secure" uses of
the Internet are, in fact, truly *secure*. This vulnerability affect the
entire SSL of the Internet (since the majority of clients and servers use
OpenSSL) - that makes every site vulnerable to spoofing, and everyone who uses
the Internet for any secure transactions vulnerable to identity theft.
This bug *should* have been reported across the whole Internet when it was
discovered about 2 years ago, but even now, no one wants to talk or hear about
Imagine if ALL companies that produce locks, safes, and provide home security
had a security problem that would allow anyone who knew about the problem to
anonymously get keys (or even master keys) to any lock, and to override any
home security system, and get the combination to any safe. How would you
protect your home and valuables then? That is the type of problem that
Heartbleed is, and it IMO needs to be posted EVERYWHERE, so that people can at
least try to protect themselves.
More information about the Gnupg-users