Current publicly disseminated information on this bug is woefully inadequate. Whether you like it or not, it's *your* bug, so you bear a major part of the burden in making sure your first-level clients and end users know what they should be doing about it. In particular, end users need to understand better where the vulnerable software might reside. Is a user vulnerable based on stuff installed on his own computers? Based only on web apps implemented by his service providers (e.g., financial institutions)? Based on what browsers, etc., he may have used to access his service providers? End users need to understand how to determine whether or not they have vulnerable software versions installed on their own computers and whether or not their service providers are safe. There's currently a lot of agitated media advice being given that "everyone should change all their passwords." If I'm using vulnerable services, wouldn't changing all my passwords now be ineffective? Wouldn't it give me a false sense of security? Take charge of this. Your bug, your responsibility.
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
