Dnia piÄ…tek, 11 kwietnia 2014 16:32:44 Georgi Guninski pisze: > On Fri, Apr 11, 2014 at 03:07:09PM +0200, [email protected] wrote: > > > Message du 11/04/14 05:44 > > > De : [email protected] > > > > > > > It makes me wonder if the NSA was involved in inserting this bug into > > > > OpenSSL clients and servers. > > > > > > If they did it, someone got a promotion. If they are as surprised > > > as you are, someone got fired. > > > > > > In the meantime, tell me that gcc is so compact and well vetted that > > > there is no room in it for insertions... > > > > This article makes an interesting point, we got to dig a bit more from our > > pockets: > > > > http://www.wired.com/2014/04/heartbleedslesson/ > > > > The second point I wish to make is the surprise by which the original > > developer took the issue. Maybe, just maybe, he did not create that flaw > > at all. > > > > It could have been inserted into the OpenSSL repository through a backdoor > > ... or why would the spies by so interested in hacking professors that > > deal with crypto and whose word is trusted by the masses? Like they did > > to a Belgian cryptographer? Was that fellow nerd a turrist of sorts? > > > > It may be possible that Segelmann did his job correctly, that the reviewer > > did his job correctly, but someone unknown may have changed it just a > > little bit before delivery. > > > > > > Besides funding projects like OpenSSL better, we should start considering > > the security of the repositories themselves. > > > > What ya fellow coders think? > > I certainly don't trust repositories ;) > > btw, I think this heartbleed story is > exaggerated. If it were code execution > it would have been much worse. > > browser vendors fix _a lot_ of > "unspecified memory hazards" every few > months. > > IMO getting owned by a browser bug is > much more likely than by heartbleed.
How do you get owned by a browser bug on a server? I mean, HB is huge, because: - it affects servers; - potentially allows access to private keys and passwords; - this, in case of forward-secrecy-less setups allows the bad guys to decrypt all saved traffic. It's as bad as any root-level remote exploit on a server. And because, you know, "everybody uses OpenSSL", and because it was unknown but in the code for 2+ years, the attack surface was (and is) huge. > Is there a significant rise of revoked certs caused > by HB paranoia? No idea, but we're considering revoking ours. -- Pozdr rysiek
signature.asc
Description: This is a digitally signed message part.
