[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Georgi Guninski
guninski at guninski.com
Fri Apr 11 06:32:44 PDT 2014
On Fri, Apr 11, 2014 at 03:07:09PM +0200, tpb-crypto at laposte.net wrote:
> > Message du 11/04/14 05:44
> > De : dan at geer.org
> > > It makes me wonder if the NSA was involved in inserting this bug into
> > > OpenSSL clients and servers.
> >
> > If they did it, someone got a promotion. If they are as surprised
> > as you are, someone got fired.
> >
> > In the meantime, tell me that gcc is so compact and well vetted that
> > there is no room in it for insertions...
> >
>
> This article makes an interesting point, we got to dig a bit more from our pockets:
>
> http://www.wired.com/2014/04/heartbleedslesson/
>
> The second point I wish to make is the surprise by which the original developer took the issue. Maybe, just maybe, he did not create that flaw at all.
>
> It could have been inserted into the OpenSSL repository through a backdoor ... or why would the spies by so interested in hacking professors that deal with crypto and whose word is trusted by the masses? Like they did to a Belgian cryptographer? Was that fellow nerd a turrist of sorts?
>
> It may be possible that Segelmann did his job correctly, that the reviewer did his job correctly, but someone unknown may have changed it just a little bit before delivery.
>
>
> Besides funding projects like OpenSSL better, we should start considering the security of the repositories themselves.
>
> What ya fellow coders think?
I certainly don't trust repositories ;)
btw, I think this heartbleed story is
exaggerated. If it were code execution
it would have been much worse.
browser vendors fix _a lot_ of
"unspecified memory hazards" every few
months.
IMO getting owned by a browser bug is
much more likely than by heartbleed.
Is there a significant rise of revoked certs caused
by HB paranoia?
More information about the cypherpunks
mailing list