El día Saturday, April 12, 2014 a las 03:43:29PM -0400, Michael Smith escribió:
> > On Apr 12, 2014, at 3:08 PM, Michael Tuexen > <michael.tue...@lurchi.franken.de> wrote: > >> > > I have read the rumor. It is wrong. > > "Introduced with intent" vs. "known to the NSA" -- two > different things, right? > > I don't have any direct knowledge of what goes on in the > NSA, but if they don't have a whole cubicle farm full > of people looking for vulnerabilities, I'd be surprised. > OpenSSL would be an obvious high-value target for scrutiny > just because of its ubiquity. and one comment more: the bug works in both directions; when a client with an openssl lib/DLL with this bug connects to a well prepared SSL server, the server can fetch up to 64 kbyte of memory from the client, for example the stored saved passwords in your browser... matthias -- Sent from my FreeBSD netbook Matthias Apitz, <g...@unixarea.de>, http://www.unixarea.de/ f: +49-170-4527211 UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org