[nSLUG] Re: Nasty zero day vulnerability in openssl CVE-2014-0160

Mike Spencer mspencer at tallships.ca
Fri Apr 11 02:50:28 ADT 2014

Ben wrote:

> On 04/08/2014 08:37 PM, Mike Spencer wrote:
>> So if you're not a bleeding edge updater, Don't Panic. :-) E.g. one
>> report says Slackware 13.37 uses SSH 0.9.8, sans heartbeat. My even
>> older distro also uses 0.9.8.
> The downside of that is that 0.9.8 can only do TLS 1.0, which is
> much weaker than TLS 1.2. You should look into upgrading to a
> version of your distro that doesn't have such out of date software,
> as it is more likely to be vulnerable to certain kinds of attack
> (just not this one).

Not to start a protracted argument, but I don't really trust any of
the notionally "secure" protocols.  I admittedly haven't read the
relevant RFCs but I read comp.risks.  I don't do anything over the net
that involves money -- banking, shopping, paypal, for-fee online
services with CC, tax returns -- or life-critical info.  It's unlikely
(albeit not astronomically so) that I'd be personally targeted but
there are repeated failures and foul-ups -- rogue or dubious cert
authorities, bulk data losses from behind encrypted transactions,
zero-day vulns including this latest major one.

If I were contemplating the overthrow of a sovereign state, the purchase
of nuclear weapons or just trying to disappear, I suppose I'd try to
use PGP or GPG combined with steg and some way to defeat traffic

And yes, if I were running an open Apache, sendmail or other server,
I'd have to upgrade numerous things that presently only accept contact
from localhost.

As it is, I only marginally understand the mechanism of SSL/TLS and
don't feel I can rely on it to be secure.

I do take various steps to avoid data collection about me by remote
sites but that's mostly another issue.

- Mike

Michael Spencer                  Nova Scotia, Canada       .~. 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^

More information about the nSLUG mailing list