On 2014-04-09 00:48, Nico Williams wrote:
On Mon, Apr 07, 2014 at 11:02:50PM -0700, Edwin Chu wrote:
I am not openssl expert and here is just my observation.
[...]
Thanks for this analysis.
Sadly, a variable-sized heartbeat payload was probably necessary, at
least for the DTLS case: for PMTU
On Tue, Apr 8, 2014 at 2:02 PM, Joe Btfsplk wrote:
>> On 4/7/2014 6:14 PM, grarpamp wrote:
>> http://heartbleed.com/
>> Patch your stuff.
> Comments / suggestions from those w/ in depth knowledge in this area? How
> users should proceed; how to check if sites used (banks, email, retail
> sites,
> Message du 08/04/14 22:18
> De : "ianG"
> A : tpb-cry...@laposte.net, cryptogra...@metzdowd.com,
> cryptography@randombit.net
> Copie à :
> Objet : Re: [Cryptography] The Heartbleed Bug is a serious vulnerability in
> OpenSSL
>
> On 8/04/2014 21:02 pm, tpb-cry...@laposte.net wrote:
>
> >
we should probably stop keeping secrets on the internet. (snark snark)
marc
On Tue, Apr 8, 2014 at 3:17 PM, ianG wrote:
> On 8/04/2014 21:02 pm, tpb-cry...@laposte.net wrote:
>
> > You said you control a quite famous bug list.
>
>
> Not me, you might be thinking of the other iang?
>
> > I shou
On 8/04/2014 21:02 pm, tpb-cry...@laposte.net wrote:
> You said you control a quite famous bug list.
Not me, you might be thinking of the other iang?
> I should not ask this here, but considering the situation we found ourselves
> regarding encryption infrastructure abuse from the part of US g
On 8/04/2014 20:33 pm, Nico Williams wrote:
> On Tue, Apr 08, 2014 at 01:12:25PM -0400, Jonathan Thornburg wrote:
>> On Tue, Apr 08, 2014 at 11:46:49AM +0100, ianG wrote:
>>> While everyone's madly rushing around to fix their bits&bobs, I'd
>>> encouraged you all to be alert to any evidence of *dam
> Message du 08/04/14 21:42
> De : "ianG"
> A : tpb-cry...@laposte.net, cryptogra...@metzdowd.com,
> cryptography@randombit.net
> Copie à :
> Objet : Re: [Cryptography] The Heartbleed Bug is a serious vulnerability in
> OpenSSL
>
> On 8/04/2014 20:18 pm, tpb-cry...@laposte.net wrote:
> >> Messa
On Tue, Apr 8, 2014 at 6:46 AM, ianG wrote:
> On 7/04/2014 22:53 pm, Edwin Chu wrote:
> ...
> E.g., if we cannot show any damages from this breach, it isn't worth
> spending a penny on it to fix! Yes, that's outrageous and will be
> widely ignored ... but it is economically and scientifically sou
On Tue, Apr 8, 2014 at 3:18 PM, wrote:
>> Message du 08/04/14 18:44
>> De : "ianG"
>>
>> E.g., if we cannot show any damages from this breach, it isn't worth
>> spending a penny on it to fix! Yes, that's outrageous and will be
>> widely ignored ... but it is economically and scientifically sound,
On 8/04/2014 20:18 pm, tpb-cry...@laposte.net wrote:
>> Message du 08/04/14 18:44
>> De : "ianG"
>>
>> E.g., if we cannot show any damages from this breach, it isn't worth
>> spending a penny on it to fix! Yes, that's outrageous and will be
>> widely ignored ... but it is economically and scientif
On Tue, Apr 08, 2014 at 01:12:25PM -0400, Jonathan Thornburg wrote:
> On Tue, Apr 08, 2014 at 11:46:49AM +0100, ianG wrote:
> > While everyone's madly rushing around to fix their bits&bobs, I'd
> > encouraged you all to be alert to any evidence of *damages* either
> > anecdotally or more firm. By
> Message du 08/04/14 18:44
> De : "ianG"
>
> E.g., if we cannot show any damages from this breach, it isn't worth
> spending a penny on it to fix! Yes, that's outrageous and will be
> widely ignored ... but it is economically and scientifically sound, at
> some level.
>
So, let's wait until an
the alternative to OTR is the echo encryption, as deployed in this client:
http://firefloo.sf.net
As well offers this client to send Rosetta Encryption over XMPP. That is
the second alternative.
Please research the library used. Regards
2014-04-08 4:13 GMT+02:00 Pranesh Prakash :
> Dear all,
> In
Yeah, it's real terrific. -_-
@ITechGeek, my understanding was that SNI was handled at an OS level by
WinXP, and no browser would work on it. I could be wrong, I haven't
researched it myself.
On Mon, Apr 7, 2014 at 10:31 PM, Bill Stewart wrote:
> At 11:08 AM 4/4/2014, Eric Mill wrote:
>
>>
On 8/04/2014 18:12 pm, Jonathan Thornburg wrote:
> On Tue, Apr 08, 2014 at 11:46:49AM +0100, ianG wrote:
>> While everyone's madly rushing around to fix their bits&bobs, I'd
>> encouraged you all to be alert to any evidence of *damages* either
>> anecdotally or more firm. By damages, I mean (a) re
On Tue, Apr 08, 2014 at 11:46:49AM +0100, ianG wrote:
> While everyone's madly rushing around to fix their bits&bobs, I'd
> encouraged you all to be alert to any evidence of *damages* either
> anecdotally or more firm. By damages, I mean (a) rework needed to
> secure, and (b) actual breach into si
On Mon, Apr 07, 2014 at 11:02:50PM -0700, Edwin Chu wrote:
> I am not openssl expert and here is just my observation.
> [...]
Thanks for this analysis.
Sadly, a variable-sized heartbeat payload was probably necessary, at
least for the DTLS case: for PMTU discovery.
Once more, a lack of an IDL, s
On Apr 8, 2014 2:03 AM, "Edwin Chu" wrote:
>
> I am not openssl expert and here is just my observation.
>
> TLS frame messages into length-prefixed "records". Each records has a
> 1 byte contentType and a 2 byte record length, followed by the record
> content and MAC.
>
> Heartbeat messages are TL
On 7/04/2014 22:53 pm, Edwin Chu wrote:
> Hi
>
> A latest story for OpenSSL
>
> http://heartbleed.com/
>
> The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
> cryptographic software library. This weakness allows stealing the
> information protected, under normal co
19 matches
Mail list logo
