On Wed, 14 May 2008, Nick Boyce wrote: > This is the best explanation I've seen so far : > http://it.slashdot.org/comments.pl?sid=551636&cid=23392602 > > I have no idea if it's correct, but it sounds very plausible.
It is incorrect. Close, but incorrect. > If there was any mistake it may have been to try too hard to get a > warning-free run from valgrind. Especially when dealing with a badly signaled landmine zone like OpenSSL... > As the /. post says, "Hats off to the reviewer who picked up on the > problem". Indeed. Running millions of machines on what basically is a small set of keys (in other words, brute-forceable) is no joke. We will be feeling the repercusions of this one for a few years. It is probably worth a lot of effort to fully map the entire set of keys the broken openssl could generate, and find a very fast way to check if a key belong to that set. And add that to openssl upstream (to automatically fail any verification done using such keys). -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
