On 9 apr. 2014, at 18:44, dweezil <dw33...@gmail.com> wrote: > I've been looking over the web trying to find if OTR is susceptible to the > OpenSSL Heartbleed vulnerability and haven't found anything. > > Can anyone confirm or deny (with proof/examples would be awesome) whether or > not OTR is vulnerable? Does OTR use OpenSSL and if so, what version?
Pidgin-OTR uses libgcrypt to implement its cryptographic operations. Pidgin itself also does not use OpenSSL. Even if another OTR implementation would use OpenSSL for its cryptographic primitives (not that I know of any), the heartbleed bug is so TLS specific that it’s very unlikely that that implementation would be vulnerable. However, other IM clients that do use OpenSSL to implement TLS might have leaked your OTR private keys and your decrypted messages to a malicious server due to the heartbleed bug. Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OTR-users mailing list OTR-users@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-users
