[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL



On Fri, Apr 11, 2014 at 03:07:09PM +0200, [email protected] wrote:
> > Message du 11/04/14 05:44
> > De : [email protected]
> > > It makes me wonder if the NSA was involved in inserting this bug into
> > > OpenSSL clients and servers.
> > 
> > If they did it, someone got a promotion. If they are as surprised
> > as you are, someone got fired.
> > 
> > In the meantime, tell me that gcc is so compact and well vetted that
> > there is no room in it for insertions...
> > 
> 
> This article makes an interesting point, we got to dig a bit more from our pockets:
> 
> http://www.wired.com/2014/04/heartbleedslesson/
> 
> The second point I wish to make is the surprise by which the original developer took the issue. Maybe, just maybe, he did not create that flaw at all.
> 
> It could have been inserted into the OpenSSL repository through a backdoor ... or why would the spies by so interested in hacking professors that deal with crypto and whose word is trusted by the masses? Like they did to a Belgian cryptographer? Was that fellow nerd a turrist of sorts?
> 
> It may be possible that Segelmann did his job correctly, that the reviewer did his job correctly, but someone unknown may have changed it just a little bit before delivery.
> 
> 
> Besides funding projects like OpenSSL better, we should start considering the security of the repositories themselves.
> 
> What ya fellow coders think?

I certainly don't trust repositories ;)

btw, I think this heartbleed story is
exaggerated. If it were code execution
it would have been much worse.

browser vendors fix _a lot_ of
"unspecified memory hazards" every few
months.

IMO getting owned by a browser bug is
much more likely than by heartbleed.

Is there a significant rise of revoked certs caused
by HB paranoia?