New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I can vouch for @VMbox and their SSL certificates. Excellent guy to deal with.
Back to the topic on hand, nobody will successfully claim damages for the 'Heartbleed' situation.
Like various people have pointed out, the CA are not liable unless it's the keys are cracked because of something they have done themselves.
I use PositiveSSL purchased through NameCheap. Reissues are free and real easy to do.
Has anyone been compromised due to the exploit?
Possibly, but remember this exploit has been around for a long time. It has only just been publicly discussed.
Even if someone has been compromised by it, there is no avenue they can take to claim damages. Unless they have some special insurance that covers them for anything that could/will happen on the internet lol.
Facebook claim they fixed it some time ago but didn't share it with anybody else.
Possibly. Although it currently looks as though you'd had to have been keeping detailed TLS-layer traffic logs to able to check for evidence of malicious heartbeats.
Source: https://eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013
Many people could have been compromised, it's very unlikely there were many keeping tracks of the traffic to such detail to even detect it.
and still the vulnerability is not caused by the cert it is caused by the protocol.
Sorry, OCD, the vulnerability is caused by the implementation of the protocol, the protocol is still exploit free.
So many people think
Can I buy pot from you, or have you smoked it all already?
Sorry to sound a bit "high" but this is the closest claimable case I ever imagine. I am not going to file a claim or anything just curious.
For me, SSL provider promises "data transmitted using https is safe" and apparently their promise does not hold anymore. Just my $0.2
But it is safe to the best of their ability. Their certificate hasn't failed you.
Your installation of OpenSSL has failed you. If any is to blame, it is the OpenSSL developers.
What about the age old question of whether if we're allowed to sign up for a month, idle our VPS, use the free SSL offer and then cancel?
You certainly could, although you never know, you might want to stay.
Your client area is currently presenting a 500 error, any idea on when you'll fix this?
It was fixed shortly after you posted.
So... um... big question. Would the liability exist if they explicitly recommended OpenSSL or an OpenSSL-dependent product, and you kept fully up to date?
That's the big question. If you used OpenSSL because of their recommendation, and you kept it properly up to date, then who's fault would it be?
OpenSSL's - they didn't know that it had a bug in it.
There will probably be class actions. If you really want to go down this road maybe try hitch your wagon to that. I'm sure lawyers will figure out how to go after someone with money somehow.
That's not the way the law works.
Also...people who look around saying "hey, is this an opportunity for me to sue someone and get rich?" disgust me.
Do you even understand the Heartbleed problem on a basic level?
It always scares me when people don't know what they don't know.
Interesting point but I think the liability would still fall with OpenSSL. A certificate vendor would generally be safe given that it is still a recommendation and not a requirement.
The customer would still be making a choice to go down the OpenSSL avenue themselves and therefore in effect in an agreement with them that their product won't fail.
As far as I can see, there is no possible scenario where the certificate vendor could be liable given the current circumstances that this topic is based around.
Tl;dr for the OP, no this isn't an opportunity to claim money from your SSL vendor. No matter how you twist the facts.
EDIT: At a push, an end user of a site and/or service using HTTPS could hold liability to a host who is using the vulnerable version of OpenSSL and is reluctant to take steps to fix it. However I spent 20 minutes yesterday checking a load of big sites and all had either been fixed or were using an older version on OpenSSL.
It's the unknown unknown.