Child Item

Site Totals

61368 Questions Answered 267 Categories

Heartbleed bug

So the version of OpenSSL is vulnerable to the Heartbleed bug, according to Bluebox. This is what Verizon tells me via chat:

Julissa: Thank you for waiting. The OpenSSL is part of the android device, as you can add and apps from third party sources or even your own apps. As long as you keep the Unknown Sources option turned off on your phone, there is not much risk

Julissa: You can find this option in Settings > Security & Screen Lock > Unknown Sources

Julissa: Great, the updates on the phone security are completed periodically. New bugs and risks pop up all the time and they are addressed with each update. I don't have a date on the next update on your phone, sorry about that.

Julissa: The biggest threat on a phone is from apps. Always make sure to check the ratings and comments from other users. As well as making sure it is a trusted developer.

I do not find this answer reassuring in the least.

Comments

lando13

The vulnerability is on servers not phones. So, I don't think you have to worry about this. Unless you have a server running android, you're good.

norabella

Not what I heard on NPR. There's a specific app called the Bluebox Heartbleed Scanner that I ran on my phone. It says "Android OS OpenSSL version 1.0.1c" and that "this version is of OpenSSL is vulnerable." I don't believe that OpenSSL is limited to servers.

Ann154

http://www.androidcentral.com/google-updates-back-end-light-heartbleed-vulnerability

TheTarquin

Wow, that's not good. The Heartbleed bug affects any device or computer running OpenSSL for secure connections. It can leak details about other users of the system. Until Verizon patches their web servers, DO NOT provide any sensitive data like credit card info, personal ID info, etc.

This is literally the worst bug the Internet has seen in years. That Verizon hasn't patched their servers yet is completely unconscionable.

norabella

Well, this article indicates that Android OS is OK except for 4.1.1. I've got 4.1.2. So maybe the Bluebox scanner is wrong? I am not sure I see how, because it's looking for the specific version of OpenSSL that is vulnerable. I assume the fix to this created a new version of OpenSSL.

norabella

Tarquin, I'm not saying that the Verizon servers are affected. This is just about the Android OS. I would bet that Verizon has addressed the issue on their web site, but it sure would be nice if they said something to that effect.

norabella

Now the Bluebox app won't launch, and their description at the app store says they apologize for any confusion with prior reports of devices being labeled as vulnerable (I assume when they weren't, which they don't actually say?). Confusion? Is it confusion when they get it wrong? How about not [removal required by the Verizon Wireless Terms of Service] around and saying you were wrong? I never got it to run in the "updated" state, but I'm thinking I don't want to. This is just great. Seems like a lot of programming hysteria around this bug. Just trying to do the right thing and be proactive. I think I'm going to let this one go and assume my Android is OK. Jeeze.

norabella

Ha ha ha! I got a word censored! Apparently one should not discuss the feet of felines on this site. Hee hee hee.

hearmenow

Apps aren't the problem. It's whether or not they've patched their server. I'm not reassured, either. Julissa doesn't know what she's talking about.

Jakeman1

The bug has been attacking phones as well as servers. You can download Lookout Heartbeat from the Play Store and it will tell you if you are vulnerable or not.

japetty

Well since VZW is the very last company in the USA to release updated software for our phones what are we to assume what they will do with the VZW servers? I would guess that VZW would be last as well to protect its customers.

Jakeman1

VZW May be the last company to push Phone Updates out to people but their infrastructure and what makes then capable of running a business are handled pretty fast. As far as phone updates go, yes they are slow but usually because the Phone Manufacturers are the ones building the software updates not VZW, and VZW needs to approve the update before they will push then out. The approval is what takes fore ever and is usually delayed because the manufacturer did not put all of VZW Bloatware in the release or they left something open that would make the phone usable by the end users etc...

japetty

I don't have any confidence in VZW doing anything to protect it's customers from anything and most all other large companies are cut from the same piece of crap. They do not protect customer sensitive information much like our government does not do anything as well. When it comes to talking a good story they just all say what customers want to hear but in the end the crooks get the customers sensitive information. The best bet is DON"T TRUST ANY OF THEM.

japetty

I do not find much reassuring about any of the canned answers VZW reads from the screen or copies and pastes to the chat. I would expect about as much because VZW does not want any responsible position that one of its people may put out and VZW have to live up to it. I just don't see how VZW can come up with a good position on customer care and gain any degree of customer confidence with this attitude.

Child Item