[nSLUG] Re: Nasty zero day vulnerability in openssl CVE-2014-0160
mspencer at tallships.ca
Fri Apr 11 02:50:28 ADT 2014
> On 04/08/2014 08:37 PM, Mike Spencer wrote:
>> So if you're not a bleeding edge updater, Don't Panic. :-) E.g. one
>> report says Slackware 13.37 uses SSH 0.9.8, sans heartbeat. My even
>> older distro also uses 0.9.8.
> The downside of that is that 0.9.8 can only do TLS 1.0, which is
> much weaker than TLS 1.2. You should look into upgrading to a
> version of your distro that doesn't have such out of date software,
> as it is more likely to be vulnerable to certain kinds of attack
> (just not this one).
Not to start a protracted argument, but I don't really trust any of
the notionally "secure" protocols. I admittedly haven't read the
relevant RFCs but I read comp.risks. I don't do anything over the net
that involves money -- banking, shopping, paypal, for-fee online
services with CC, tax returns -- or life-critical info. It's unlikely
(albeit not astronomically so) that I'd be personally targeted but
there are repeated failures and foul-ups -- rogue or dubious cert
authorities, bulk data losses from behind encrypted transactions,
zero-day vulns including this latest major one.
If I were contemplating the overthrow of a sovereign state, the purchase
of nuclear weapons or just trying to disappear, I suppose I'd try to
use PGP or GPG combined with steg and some way to defeat traffic
And yes, if I were running an open Apache, sendmail or other server,
I'd have to upgrade numerous things that presently only accept contact
As it is, I only marginally understand the mechanism of SSL/TLS and
don't feel I can rely on it to be secure.
I do take various steps to avoid data collection about me by remote
sites but that's mostly another issue.
Michael Spencer Nova Scotia, Canada .~.
mspencer at tallships.ca /( )\
More information about the nSLUG