On 9 apr. 2014, at 18:44, dweezil <dw33...@gmail.com> wrote:

> I've been looking over the web trying to find if OTR is susceptible to the 
> OpenSSL Heartbleed vulnerability and haven't found anything.
> 
> Can anyone confirm or deny (with proof/examples would be awesome) whether or 
> not OTR is vulnerable?  Does OTR use OpenSSL and if so, what version?

Pidgin-OTR uses libgcrypt to implement its cryptographic operations. Pidgin
itself also does not use OpenSSL.

Even if another OTR implementation would use OpenSSL for its cryptographic
primitives (not that I know of any), the heartbleed bug is so TLS specific
that it’s very unlikely that that implementation would be vulnerable.

However, other IM clients that do use OpenSSL to implement TLS might have
leaked your OTR private keys and your decrypted messages to a malicious server
due to the heartbleed bug.

Thijs

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
OTR-users mailing list
OTR-users@lists.cypherpunks.ca
http://lists.cypherpunks.ca/mailman/listinfo/otr-users

Reply via email to