Re: [libreoffice-users] Re: Heartbleed

Hi :)
From what i heard most of this is a case of the solution being more of a
hindrance than the actual problem was in the first place.

There is a LOT of politics at play here because openSSL was OpenSource.
Apparently it was running on donations of about $2k/yr and less than
minimal staffing.  If all the companies using it donated 0.1% of their
income towards the project then it would be raking in millions.  So, it's
carefully being ignored that the last time openSSL had a problem was 15
years ago.

Taking advantage of this problem would have required an extreme amount of
skill and a huge amount of patience.  Each successful attack on a website
would scrape something like 64kb, or was it 16?  So getting anything useful
would take millions of attacks, which would probably have been noticed as a
sudden increase in network traffic and caused the website to crouch down in
defensive mode (or maybe even start counter-attacks in a tiny number of
cases).

The question is are you storing valuable data on whichever website?  Is
your password to that site likely to give-away all, or a lot of, the
passwords you use on other sites? How about the security question for when
you forget your password?  How much personal information does whichever
site hold about you and could that data be used to cause you some bother?
Even where the answers to all but q1 are "yes" you have to bear in mind
that they would have to be quick to deal with the tons of other people's
information they had scraped at the same time and could the criminal
process all that fast enough?

So most of the threat has been blown out of all proportion.  Of course we
still have to fix it but that has probably already been done and now we
just sit&wait for external recognition of that fact.  The people who verify
that are swamped so it might be a bit of a wait.

It might be a good idea to step-up your own security over the next few
months.  Anyone continuing to use Internet Explorer deserves whatever they
get now more than ever.

Regards from
Tom :)







On 18 April 2014 19:51, Sophie <gautier.sophie@gmail.com> wrote:

> Hi,
> Le 18/04/2014 20:33, alnuwer a écrit :
> > Hi all,
> >
> > To answer you specific question now:
> > Le 18/04/2014 17:37, alnuwer a écrit :
> > > So I guess I have 3 choices:
> > > Do nothing  - I'm running version 4.2.2.1  (I have it set to auto
> update)
> > > Go "back" to 4.1.5. Will I be giving up functionality?
> > > Go to 4.2.3.3. But the release notes say it "remains targeted for early
> > > adopters and private power users," which I'm not!
> >
> > Each of the 4.2.x.x releases are for early adopters because the version
> > is still quite new and needs more tests to be said "Stable". If you use
> > version of this branch you should always update to the last available.
> > > So in layman terms, what is the difference between 4.2.2.1 and 4.1.5?
> >
> > See above, the 4.1.5 version is stable and has been tested for a long
> > time now. I you want to use it for your daily work, you should always
> > stay with this branch 4.1.x, until the 4.2.x branch is said stable and
> > for all users.
> >
> > Kind regards
> > Sophie
> >
> > Thanks Sophie - I am updating to 4.2.3.3.
> > Recall, I started this thread because my password manager, LastPass,
> flagged
> > the site openoffice.org as vulnerable. The discussion took on a life of
> it's
> > own regarding the OpenOffice application. I believe this was goodness,
> but
> > now, what about the openoffice.org site? Is it indeed vulnerable? And
> if so,
> > when will it get fixed?
>
> Hey, you are on the LibreOffice list, so I don't know, may be they need
> to wait for the new certificate to be in place :) A lot of sites have
> been affected and not all of them have been able to add the new
> certificate quickly however they patched the OpenSSL security thing and
> the site by itself was safe, only the new certificate needed to be
> issued, at least that's what we've done on the LibreOffice
> infrastructure side.
>
> Kind regards
> Sophie
>
>
> --
> To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
> Problems?
> http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
> Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
> List archive: http://listarchives.libreoffice.org/global/users/
> All messages sent to this list will be publicly archived and cannot be
> deleted

-- 
To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted