04-13-2014, 11:58 AM
Originally Posted by chas_m
Banks (and Apple, and Microsoft) don't use OpenSSL, so its a non-issue with them (as you can see from the Mashable page).
I'm willing to bet good money that they actually do (except for MS who likely uses IIS and their own SSL implementation). For example, Apple is known to use OpenSSL. Indeed, the LastPass HB checker notes this for something like iCloud (see here
). While it's possible that Apple has crafted their own implementation of SSL and TLS, I'm not counting on it given that, last estimate I saw, OpenSSL was the implementation used for nearly 2/3 of all SSL and TLS implementations. Beyond that, given that this wasn't an official announcement from Apple (a "spokesperson" made the claim with no official release) and their rich Unix legacy, I think it's safe to say that OpenSSL is widely used. I could be wrong but until there's some official announcement, the odds are against the idea that Apple doesn't use it (which is certainly not a criticism for it's a fine piece of software).
Banks though will definitely be using it. Unless their running Windows servers (and thus likely running IIS), odds are that they'll be using it. For example, the CBA notes (source
) that banks aren't affected (given the multiple layers of security) but none of them notes that they weren't using OpenSSL (which leads me to believe that they were and still probably are).
Call me a skeptic but until there's evidence that these groups don't use OpenSSL, I'm inclined to believe that they do. However, this doesn't necessarily mean that they're affected for they could be running unaffected version.