Heartbleed attack on Openssl

Christopher J. Walters cwal989 at comcast.net
Thu Apr 10 22:33:15 CEST 2014

On 4/9/2014 11:13 PM, Robert J. Hansen wrote:
>> Thanks everyone for the quick and complete feedback. New questions arose:
> Again, you will have better luck asking on an OpenSSL mailing list.
> There is no guarantee that anyone on this mailing list is an expert in
> OpenSSL.

I, for one, admit that I am not an expert on OpenSSL.  *IF* I were, I would be 
posting on the OpenSSL mailing lists about the bug.

I doubt that ANYONE, including the OpenSSL community and developers know just 
how serious this bug has compromised the general security of the Internet, or 
what sites were actually (not theoretically could be) compromised.  There is 
just not enough information to make any definitive statements on that issue, 
and there probably never will be given all of the other bugs (known and 
unknown) that can compromise a server's security.

As for regular users, from what I've read, there is really no additional risk 
to what you face from spyware, keyloggers, other malware and upstream bugs. 
That is UNLESS you either use a vulnerable version of OpenSSL with a data 
storage / encryption application to store site user names and passwords, credit 
/ debit card information, etc., or you run a server on your system that has a 
vulnerable version of OpenSSL.

In any case, I have to agree with you, Robert, the best place for information 
is the official heartbleed site and the OpenSSL mailing lists.

More information about the Gnupg-users mailing list