El día Saturday, April 12, 2014 a las 03:43:29PM -0400, Michael Smith escribió:

> On Apr 12, 2014, at 3:08 PM, Michael Tuexen 
> <michael.tue...@lurchi.franken.de> wrote:
> >>  
> > I have read the rumor. It is wrong. 
> "Introduced with intent" vs. "known to the NSA" -- two 
> different things, right? 
> I don't have any direct knowledge of what goes on in the 
> NSA, but if they don't have a whole cubicle farm full 
> of people looking for vulnerabilities, I'd be surprised. 
> OpenSSL would be an obvious high-value target for scrutiny 
> just because of its ubiquity. 

and one comment more: the bug works in both directions; when a client
with an openssl lib/DLL with this bug connects to a well prepared SSL server,
the server can fetch up to 64 kbyte of memory from the client, for example the
stored saved passwords in your browser...

Sent from my FreeBSD netbook

Matthias Apitz, <g...@unixarea.de>, http://www.unixarea.de/ f: +49-170-4527211
UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to