Heartbleed attack on Openssl / Pertinent? I say yes.

[Christopher J. Walters]

On 4/9/2014 12:51 PM, Robert J. Hansen wrote:
>> Dear GNUPG community,
>
> That right there should be your first hint.  :)
>
> This is a great email list to get informed opinions on GnuPG and the
> OpenPGP RFCs, but this may not be a great place to get informed
> commentary on OpenSSL.  It's a completely different software package run
> by a completely different outfit.
>
> You may get better answers if you ask on the OpenSSL mailing lists.  :)

You're right in the respect that this list is only for GnuPG and OpenPGP RFC 
support.

However, the Heartbleed vulnerability is such a pervasive Internet security 
issue that everyone needs to be made aware of it, so that they may become 
educated on it.  In my experience, the majority of Internet users take for 
granted that their Internet banking, shopping, and all other "secure" uses of 
the Internet are, in fact, truly *secure*.  This vulnerability affect the 
entire SSL of the Internet (since the majority of clients and servers use 
OpenSSL) - that makes every site vulnerable to spoofing, and everyone who uses 
the Internet for any secure transactions vulnerable to identity theft.

This bug *should* have been reported across the whole Internet when it was 
discovered about 2 years ago, but even now, no one wants to talk or hear about 
it anywhere.

Imagine if ALL companies that produce locks, safes, and provide home security 
had a security problem that would allow anyone who knew about the problem to 
anonymously get keys (or even master keys) to any lock, and to override any 
home security system, and get the combination to any safe.  How would you 
protect your home and valuables then?  That is the type of problem that 
Heartbleed is, and it IMO needs to be posted EVERYWHERE, so that people can at 
least try to protect themselves.

Regards,
Chris