Web lists-archives.com

Re: openssl/libssl1 in Debian now blocks offlineimap?




On Fri, Aug 18, 2017 at 10:07:49PM +0200, Tollef Fog Heen wrote:
> ]] Adrian Bunk 
>... 
> The PCI consortium extended the deadline until June
> 2018.  Assuming that deadline holds, people with older machines will not
> be able to access services such as online banking or pay online in
> general.

That's wrong.

Think of the "TLS 1.2 not working with WPA" discussed earlier here that 
might still affect half a billion active Android devices at the buster
release date.[1]

The online banking app running on such a device will support TLS 1.2

The PayPal app currently requires Android >= 4.0.3, released in 2011.

> ... but they're pragmatic.
> As they write in their press release: “…in the field a lot of business
> issues surfaced…” said Stephen Orfei, General Manager, PCI SSC. “We want
> merchants protected against data theft but not at the expense of turning
> away business, ...

Corollary:

It is permitted to run your online banking app on an Android device 
with a 5 year old firmware with no security updates ever available.

>...
> to make sure any users on platforms where support for that is
> lacking get a proper notification and a chance to move to something
> newer.
>...

Imagine Debian running on the AP providing the WiFi for a Cafe.

What you are saying is that the staff working at the Cafe should explain 
to their customers that they have to buy a new phone if they want to use 
the WiFi.

cu
Adrian

[1] I haven't investigated how widespread this specific problem 
    actually is, or whether it can be mitigated - the point is that
    it is unrelated to TLS versions supported by PayPal or online 
    banking apps running on the device

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed