OpenSSL License - Copyright © 1998-2011 The OpenSSL Project
Yeah, how to find out is the big question here - about:config is just citing:
When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
Quote from: http://heartbleed.com/When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
However it's not the browser which gets attacked and exploited but the server. So it does not make any difference which browser you are using.
Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.
But my point is that being connected with an unpatched browser to an unpatched server has got to be worse than being connected with a patched browser to an unpatched server.
Quote from: http://heartbleed.com/Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.
You got an answer. It's hilarious: "Opera 12 doesn't support SSL heartbeat and is not affected." https://vivaldi.net/forum/web-standards/410-client-side-ssl#6125 It's like saying the old version of Windows doesn't support this recently released virus.
The answer is pretty much to the point, and it is poor coding, not a virus.
The Presto engine used in Opera 12 and older does use OpenSSL, but not the features of OpenSSL which contained the vulnerability. Hence Presto is not vulnerable, on any platform. This includes Opera Mini and Opera Mail, which use Presto. Opera Mini encryption between the client and proxy is also unaffected. Opera 14 and higher runs on Chromium, Desktop versions do not use OpenSSL. Android versions do, but not the features which contained the vulnerability. Coast by Opera only uses OpenSSL for certification information, not any parts of the vulnerable code. So the short version is that Opera products are not vulnerable*. Opera will of course use plugins, and may also use or call system functions or libraries, so even if you are using Opera, you should still make sure your system is secured and up to date.* No absolutes without caveats. Even though Presto does not use any vulnerable parts of OpenSSL, the standalone autoupdater for Opera 12 on Windows does. However, the autoupdater will only connect to our server, and close the connection if the certificate does not validate, so the certificate holders are the only ones who can abuse it. If someone should have stolen our certificate with a heartbleed attack against our servers, they might potentially use it against the autoupdater. The autoupdater runs in a separate process, and doesn't have much memory to leak, but might potentially leak system information in such a case, such as local username on Windows machines. We aim to get an update out soon. An attack on the autoupdate mechanism itself would still have to bypass additional protections.source
Unless it's a version from before late 2011, I'd count on it being vulnerable. I'm not sure how to find out.
As I browsed the Heise news today I came along this headline Horror-Bug in OpenSSL (German Side) which is about this vulnerability ("Heartbleed Bug") and is in OpenSSL since December 2011. Because that Bug affects both sides (client-server &| server-client) I am asking myself which version of OpenSSL is implemented in e.g. Opera 12.16. Anyone any ideas?
As I understand it, it's a server-side exploit and not a client-side one.
The vulnerability has existed since December 31, 2011.A sad example why security/trust in open source software shouldn't be overrated - "the more eyes the better".
Page created in 0.075 seconds with 38 queries.