[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Georgi Guninski
guninski at guninski.com
Fri Apr 11 08:34:01 PDT 2014
On Fri, Apr 11, 2014 at 04:43:03PM +0200, rysiek wrote:
>
> How do you get owned by a browser bug on a server? I mean, HB is huge,
> because:
Own the admin or something like this
(probably doesn't work for all admins,
check the ACLU snowden docs for how NSA targets
admins via browser bugs).
> - it affects servers;
> - potentially allows access to private keys and passwords;
> - this, in case of forward-secrecy-less setups allows the bad guys to
> decrypt all saved traffic.
>
> It's as bad as any root-level remote exploit on a server. And because, you
Disagree. AFAICT it doesn't affect openssh, only TLS.
remote preauth openssh would be fun, though ;)
> know, "everybody uses OpenSSL", and because it was unknown but in the code for
> 2+ years, the attack surface was (and is) huge.
>
Continue to believe that much more info is stolen
via client bugs U buggy CMS/cgi + privilege escalation
(see kernel changelogs).
> > Is there a significant rise of revoked certs caused
> > by HB paranoia?
>
> No idea, but we're considering revoking ours.
>
This is sound, suspect you are minority.
Most people don't reinstall even after full
ownage.
--
cheers
More information about the cypherpunks
mailing list