Steven_M.irc via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
> Hi Michael, Thanks very much for replying to my e-mail/post. I
> apologize for the lateness of my reply.
>> This is not true in the general case. There are applications which are
>> available on Linux which do not use the distribution's package
>> manager. There are applications which use their own OpenSSL build,
>> possibly linked statically or linked into one of their own shared
>> objects or with the OpenSSL shared objects renamed. Linux
>> distributions have not magically solved the problem of keeping all
>> software on the system current.
> That's disheartening. My next computer will be running Linux and I was
> thinking that (as long as I stick to installing software from
> appropriate repositories) my update worries would be over soon.
It's not specific to Linux. Almost every single "big" application (Chrome,
Firefox, OpenOffice) brings their own shared objects. Some of them contain
security mechanisms.
My impression is that you have just enough knowledge to be dangerous.
>> It is possible, with relatively little effort, to find all the copies
>> of the OpenSSL DLLs under their usual names on a system
> Could you please provide me with a list of the usual names? I've got a
> lot of libssl DLL's on my system, but I'm not sure if they're part of
> OpenSSL or some other implementation of SSL.
no, I can't/won't.
Two reasons: 1) I can't because they don't have "usual names", 2) you should
rely on your distribution to do the updates, and if you install packages
using other means, then you should rely on those mechanisms. If someone
tells you to "telnet fobar.com|sh", then you should be concerned that they
are probably not clueful enough to keep your up-to-date.
>> I'm not sure OpenSSL versions should be particularly high on anyone's
>> priority list.
> As I understand it, OpenSSL is responsible for establishing HTTPS
> connections, the primary protocol for ensuring security and
> authenticity over the Internet, and you *don't* think OpenSSL versions
> should be a high priority? I don't understand your lack of alarm here.
1) Bugs show up everywhere. You should be concerned about all libraries that
do all sorts of things.
2) Browsers tend to bring their own TLS implementation, which they
auto-update.
3) Since your desktop is a client systems, it probably isn't subject to attack.
>> What are you actually trying to accomplish? What's your task? Your
>> threat model?
> I want to be able to trust the HTTPS connections between my PC and
> servers on the Internet again; whether I'm using a browser, a software
> installer (that downloads data from the Internet before installing), a
> peer-to-peer application, or any other network application.
You can/should trust them as much this year as you did in 1997.
