[nSLUG] Nasty zero day vulnerability in openssl CVE-2014-0160

Ben Armstrong synrg at sanctuary.nslug.ns.ca
Fri Apr 11 06:32:55 ADT 2014


On 11/04/14 02:50 AM, Mike Spencer wrote:
> Not to start a protracted argument, but I don't really trust any of
> the notionally "secure" protocols.  I admittedly haven't read the
> relevant RFCs but I read comp.risks.  I don't do anything over the net
> that involves money -- banking, shopping, paypal, for-fee online
> services with CC, tax returns -- or life-critical info.  It's unlikely
> (albeit not astronomically so) that I'd be personally targeted but
> there are repeated failures and foul-ups -- rogue or dubious cert
> authorities, bulk data losses from behind encrypted transactions,
> zero-day vulns including this latest major one.

That is admirable, but is a sacrifice in convenience that is not an easy
decision for everyone.

> And yes, if I were running an open Apache, sendmail or other server,
> I'd have to upgrade numerous things that presently only accept contact
> from localhost.

That was my primary concern.

Ben





More information about the nSLUG mailing list