Hi All,
I'm really worried about the vulnerabilities recently found in OpenSSL versions 
3.0.0 - 3.0.6. If I understand things correctly (and please do correct me if 
I'm wrong), it doesn't matter which version of OpenSSL clients are running, 
only which version of OpenSSL *servers* are running. Thus it seems like 
end-users can do very little to protect themselves. For example, how can an 
end-user tell if a website they're visiting is using a safe or an unsafe 
version of OpenSSL?

I did try putting my bank's website through an SSL tester (www.ssllabs.com), 
but I couldn't find an easy way to determine which version of OpenSSL they're 
running. I did get a protocol report, which read as follows:
TLS 1.3 Yes
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No

However, I don't know if any of those protocol version numbers give any 
indication as to the OpenSSL version number(s)?

Any advice would be greatly appreciated.

Many thanks,

Sent with Proton Mail secure email.

Reply via email to