[nSLUG] Nasty zero day vulnerability in openssl CVE-2014-0160

George N. White III gnwiii at gmail.com
Thu Apr 17 13:34:46 ADT 2014


On Fri, Apr 11, 2014 at 11:51 AM, Julien Savoie <
julien.savoie at usainteanne.ca> wrote:

> I'm using regular HTTP to take credit card orders on my site, so this
> big SSL bug doesn't affect me, right?
>

I suppose your site offers a special deal on a well-maintained bridge in
Montreal too.


> On 11/04/14 07:31 AM, George N. White III wrote:
> > The early reports indicated the bug only affected html servers using
> > https,
> I really hope no one actually said that, because that's stupid.  The
> vulnerability is within the TLS extension heartbeat (RFC 6520), not
> http.  I've had success against my own dovecot imap server.
>

At young age I learned that the details of any news story on a topic where
you have direct knowledge are rarely correct.

ACM Technews on Friday <
http://technews.acm.org/archives.cfm?fo=2014-04-apr/apr-11-2014.html> said:
"Security experts on Thursday warned the "Heartbleed" computer virus can
attack email systems, security firewalls, and possibly mobile phones, as
well as Web servers.".   In fact, the Reuters article (viewed today)
doesn't appear to contain the word "virus", but does mention the problems
facing people who are waiting for vendors to release fixes to firewalls,
etc.

-- 
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20140417/419445eb/attachment.html>


More information about the nSLUG mailing list