[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL



On Fri, Apr 11, 2014 at 04:43:03PM +0200, rysiek wrote:
> 
> How do you get owned by a browser bug on a server? I mean, HB is huge, 
> because:

Own the admin or something like this
(probably doesn't work for all admins,
check the ACLU snowden docs for how NSA targets
admins via browser bugs).

>  - it affects servers;
>  - potentially allows access to private keys and passwords;
>  - this, in case of forward-secrecy-less setups allows the bad guys to
>    decrypt all saved traffic.
> 
> It's as bad as any root-level remote exploit on a server. And because, you 

Disagree. AFAICT it doesn't affect openssh, only TLS.

remote preauth openssh would be fun, though ;)

> know, "everybody uses OpenSSL", and because it was unknown but in the code for 
> 2+ years, the attack surface was (and is) huge.
> 

Continue to believe that much more info is stolen
via client bugs U buggy CMS/cgi + privilege escalation
(see kernel changelogs).

> > Is there a significant rise of revoked certs caused
> > by HB paranoia?
> 
> No idea, but we're considering revoking ours.
> 

This is sound, suspect you are minority.

Most people don't reinstall even after full
ownage.

-- 
cheers