Kitz Forum

Computer Software => Security => Topic started by: sevenlayermuddle on June 07, 2014, 09:00:19 PM

Title: OpenSSL, another blow
Post by: sevenlayermuddle on June 07, 2014, 09:00:19 PM

http://www.theguardian.com/technology/2014/jun/06/heartbleed-openssl-bug-security-vulnerabilities

I am told by reliable sources that these new issues are not really comparable in severity to the catastrophic 'Heartbleed' OpenSSL issue  from a few months ago.   All the same, as the Guardian's expert concludes..

Quote

“It does seem like another nail in the coffin for OpenSSL. It may not be dead but this must be another blow to people’s confidence.”

 :(

Title: Re: OpenSSL, another blow
Post by: loonylion on June 08, 2014, 01:39:50 AM

The Guardian's 'expert' doesn't know what he's talking about, IMO.  Windows has security holes that have been there for years, in some cases, decades, that Microsoft doesn't see fit to fix, not to mention the dozens of security fixes released every month fixing flaws that 'could allow an attacker to gain control of your system' and it doesn't seem to hurt people's confidence in that product. At least with open source the problems get found and get fixed, usually fairly promptly.

The BBC's technology reporter is another one that often seems to have a very poor grasp of the subject he's reporting on.

Title: Re: OpenSSL, another blow
Post by: hake on July 07, 2014, 08:41:59 PM

I suppose that the people who gave these wags and wits their jobs didn't know anything either.  I am pottering along with Windows XP and am as (un)safe as with Windows 7.  The thing about Windows is that we know it is flawed.  Those such as me are not complacent and there is much excellent security software to alert us when something dodgy is happening in Windows.

Windows XP is just so darned nice to use and there is loads that can be done to button it down.

Title: Re: OpenSSL, another blow
Post by: sevenlayermuddle on July 07, 2014, 09:23:03 PM

The thing that needs to be understood is that OpenSSL is not an operating system like windows, rather just a relatively small component that is used by some OS's, notably some Linux and Android.   In principle, Microsoft could have used it for Windows if they so wished for their own SSL layer, though they didn't.

Even if your PC is running windows (or OS/X, or Linux), with great AV software and you are keeping it all up to date, your bank's web server may be using OpenSSL, making your life savings vulnerable to its flaws.   As may your Android phone, or your router, and other things that are probably outside your control and much harder to patch.    :(