On Wed, Apr 9, 2014 at 11:55 AM, Ian Goldberg <i...@cypherpunks.ca> wrote:
> On Wed, Apr 09, 2014 at 12:44:23PM -0400, dweezil wrote: > > I've been looking over the web trying to find if OTR is susceptible to > the > > OpenSSL Heartbleed vulnerability and haven't found anything. > > > > Can anyone confirm or deny (with proof/examples would be awesome) whether > > or not OTR is vulnerable? Does OTR use OpenSSL and if so, what version? > > OTR is a protocol. Different implementations of the protocol might use > different libraries. But it doesn't really matter what library the OTR > implementation uses; if a vulnerable openssl is used in your IM client > *at all*, you're vulnerable. > > The standard libotr uses libgcrypt, for the record. > > All that said, the OTR *web server* at https://otr.cypherpunks.ca/ was > indeed running a buggy openssl. The library has since been upgraded, > the TLS certificate regenerated with fresh keys, and the old one > revoked. > It clarified all about OTR *web server* about OTR implementation is clear is not vulnerable. Regards, > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users@lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > -- Cristian Salamea @ovnicraft
_______________________________________________ OTR-users mailing list OTR-users@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-users
