Hi Michael, Thanks very much for replying to my e-mail/post. I apologize for the lateness of my reply. > This is not true in the general case. There are applications which are available on Linux which do not use the distribution's package manager. There are applications which use their own OpenSSL build, possibly linked statically or linked into one of their own shared objects or with the OpenSSL shared objects renamed. Linux distributions have not magically solved the problem of keeping all software on the system current. That's disheartening. My next computer will be running Linux and I was thinking that (as long as I stick to installing software from appropriate repositories) my update worries would be over soon. >It is possible, with relatively little effort, to find all the copies of the OpenSSL DLLs under their usual names on a system Could you please provide me with a list of the usual names? I've got a lot of libssl DLL's on my system, but I'm not sure if they're part of OpenSSL or some other implementation of SSL. >I'm not sure OpenSSL versions should be particularly high on anyone's priority list. As I understand it, OpenSSL is responsible for establishing HTTPS connections, the primary protocol for ensuring security and authenticity over the Internet, and you *don't* think OpenSSL versions should be a high priority? I don't understand your lack of alarm here. >What are you actually trying to accomplish? What's your task? Your threat model? I want to be able to trust the HTTPS connections between my PC and servers on the Internet again; whether I'm using a browser, a software installer (that downloads data from the Internet before installing), a peer-to-peer application, or any other network application. Thank you for your time. Steven
