[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
- To: [email protected]
- Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
- From: [email protected] (Georgi Guninski)
- Date: Fri, 11 Apr 2014 16:32:44 +0300
- In-reply-to: <149518711.83101.1397221629681.JavaMail.www@wwinf8224>
- References: <CAD2Ti2_tOpe+gvwqwr3G91jnFw8T=ihsaEYsB53+6iDh8reEwQ@mail.gmail.com> <[email protected]> <149518711.83101.1397221629681.JavaMail.www@wwinf8224>
On Fri, Apr 11, 2014 at 03:07:09PM +0200, [email protected] wrote:
> > Message du 11/04/14 05:44
> > De : [email protected]
> > > It makes me wonder if the NSA was involved in inserting this bug into
> > > OpenSSL clients and servers.
> >
> > If they did it, someone got a promotion. If they are as surprised
> > as you are, someone got fired.
> >
> > In the meantime, tell me that gcc is so compact and well vetted that
> > there is no room in it for insertions...
> >
>
> This article makes an interesting point, we got to dig a bit more from our pockets:
>
> http://www.wired.com/2014/04/heartbleedslesson/
>
> The second point I wish to make is the surprise by which the original developer took the issue. Maybe, just maybe, he did not create that flaw at all.
>
> It could have been inserted into the OpenSSL repository through a backdoor ... or why would the spies by so interested in hacking professors that deal with crypto and whose word is trusted by the masses? Like they did to a Belgian cryptographer? Was that fellow nerd a turrist of sorts?
>
> It may be possible that Segelmann did his job correctly, that the reviewer did his job correctly, but someone unknown may have changed it just a little bit before delivery.
>
>
> Besides funding projects like OpenSSL better, we should start considering the security of the repositories themselves.
>
> What ya fellow coders think?
I certainly don't trust repositories ;)
btw, I think this heartbleed story is
exaggerated. If it were code execution
it would have been much worse.
browser vendors fix _a lot_ of
"unspecified memory hazards" every few
months.
IMO getting owned by a browser bug is
much more likely than by heartbleed.
Is there a significant rise of revoked certs caused
by HB paranoia?