On Fri, Apr 11, 2014 at 04:43:03PM +0200, rysiek wrote: > > How do you get owned by a browser bug on a server? I mean, HB is huge, > because:
Own the admin or something like this (probably doesn't work for all admins, check the ACLU snowden docs for how NSA targets admins via browser bugs). > - it affects servers; > - potentially allows access to private keys and passwords; > - this, in case of forward-secrecy-less setups allows the bad guys to > decrypt all saved traffic. > > It's as bad as any root-level remote exploit on a server. And because, you Disagree. AFAICT it doesn't affect openssh, only TLS. remote preauth openssh would be fun, though ;) > know, "everybody uses OpenSSL", and because it was unknown but in the code > for > 2+ years, the attack surface was (and is) huge. > Continue to believe that much more info is stolen via client bugs U buggy CMS/cgi + privilege escalation (see kernel changelogs). > > Is there a significant rise of revoked certs caused > > by HB paranoia? > > No idea, but we're considering revoking ours. > This is sound, suspect you are minority. Most people don't reinstall even after full ownage. -- cheers
