[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
- To: rysiek <[email protected]>
- Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
- From: [email protected] (Georgi Guninski)
- Date: Fri, 11 Apr 2014 18:34:01 +0300
- Cc: [email protected]
- In-reply-to: <1409607.uUXFrpi0Wi@lap>
- References: <CAD2Ti2_tOpe+gvwqwr3G91jnFw8T=ihsaEYsB53+6iDh8reEwQ@mail.gmail.com> <149518711.83101.1397221629681.JavaMail.www@wwinf8224> <[email protected]$> <1409607.uUXFrpi0Wi@lap>
On Fri, Apr 11, 2014 at 04:43:03PM +0200, rysiek wrote:
>
> How do you get owned by a browser bug on a server? I mean, HB is huge,
> because:
Own the admin or something like this
(probably doesn't work for all admins,
check the ACLU snowden docs for how NSA targets
admins via browser bugs).
> - it affects servers;
> - potentially allows access to private keys and passwords;
> - this, in case of forward-secrecy-less setups allows the bad guys to
> decrypt all saved traffic.
>
> It's as bad as any root-level remote exploit on a server. And because, you
Disagree. AFAICT it doesn't affect openssh, only TLS.
remote preauth openssh would be fun, though ;)
> know, "everybody uses OpenSSL", and because it was unknown but in the code for
> 2+ years, the attack surface was (and is) huge.
>
Continue to believe that much more info is stolen
via client bugs U buggy CMS/cgi + privilege escalation
(see kernel changelogs).
> > Is there a significant rise of revoked certs caused
> > by HB paranoia?
>
> No idea, but we're considering revoking ours.
>
This is sound, suspect you are minority.
Most people don't reinstall even after full
ownage.
--
cheers