On 08/04/14 11:46, ianG wrote:
We have here a rare case of a broad break in a security protocol leading
to compromise of keys.
Though it's an implementation break, not a protocol break.
___
cryptography mailing list
cryptography@randombit.net
On 08/04/14 11:46, ianG wrote:
We have here a rare case of a broad break in a security protocol leading
to compromise of keys.
On 2014-04-09 21:53, Alan Braggins wrote:
Though it's an implementation break, not a protocol break.
Not exactly. The protocol failed to define a response to
On 04/10/2014 12:29 AM, James A. Donald wrote:
On 08/04/14 11:46, ianG wrote:
We have here a rare case of a broad break in a security protocol leading
to compromise of keys.
On 2014-04-09 21:53, Alan Braggins wrote:
Though it's an implementation break, not a protocol break.
Not
On Apr 9, 2014, at 4:41 PM, Stephen Farrell stephen.farr...@cs.tcd.ie wrote:
I figure there are some protocol design lessons maybe. There's
a thread started on the TLS list about it today. [2] Be interesting
to see what that turns up.
There is actually a second thread on the TLS list today
I am not openssl expert and here is just my observation.
TLS frame messages into length-prefixed records. Each records has a
1 byte contentType and a 2 byte record length, followed by the record
content and MAC.
Heartbeat messages are TLS records with contentType 24 of this content format:
On 7/04/2014 22:53 pm, Edwin Chu wrote:
Hi
A latest story for OpenSSL
http://heartbleed.com/
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
cryptographic software library. This weakness allows stealing the
information protected, under normal
On Apr 8, 2014 2:03 AM, Edwin Chu edwinche...@gmail.com wrote:
I am not openssl expert and here is just my observation.
TLS frame messages into length-prefixed records. Each records has a
1 byte contentType and a 2 byte record length, followed by the record
content and MAC.
Heartbeat
On Mon, Apr 07, 2014 at 11:02:50PM -0700, Edwin Chu wrote:
I am not openssl expert and here is just my observation.
[...]
Thanks for this analysis.
Sadly, a variable-sized heartbeat payload was probably necessary, at
least for the DTLS case: for PMTU discovery.
Once more, a lack of an IDL,
On Tue, Apr 08, 2014 at 11:46:49AM +0100, ianG wrote:
While everyone's madly rushing around to fix their bitsbobs, I'd
encouraged you all to be alert to any evidence of *damages* either
anecdotally or more firm. By damages, I mean (a) rework needed to
secure, and (b) actual breach into sites
Message du 08/04/14 18:44
De : ianG
E.g., if we cannot show any damages from this breach, it isn't worth
spending a penny on it to fix! Yes, that's outrageous and will be
widely ignored ... but it is economically and scientifically sound, at
some level.
So, let's wait until another 40
On Tue, Apr 08, 2014 at 01:12:25PM -0400, Jonathan Thornburg wrote:
On Tue, Apr 08, 2014 at 11:46:49AM +0100, ianG wrote:
While everyone's madly rushing around to fix their bitsbobs, I'd
encouraged you all to be alert to any evidence of *damages* either
anecdotally or more firm. By
On Tue, Apr 8, 2014 at 3:18 PM, tpb-cry...@laposte.net wrote:
Message du 08/04/14 18:44
De : ianG
E.g., if we cannot show any damages from this breach, it isn't worth
spending a penny on it to fix! Yes, that's outrageous and will be
widely ignored ... but it is economically and
On Tue, Apr 8, 2014 at 6:46 AM, ianG i...@iang.org wrote:
On 7/04/2014 22:53 pm, Edwin Chu wrote:
...
E.g., if we cannot show any damages from this breach, it isn't worth
spending a penny on it to fix! Yes, that's outrageous and will be
widely ignored ... but it is economically and
Message du 08/04/14 21:42
De : ianG
A : tpb-cry...@laposte.net, cryptogra...@metzdowd.com,
cryptography@randombit.net
Copie à :
Objet : Re: [Cryptography] The Heartbleed Bug is a serious vulnerability in
OpenSSL
On 8/04/2014 20:18 pm, tpb-cry...@laposte.net wrote:
Message du
On 8/04/2014 20:33 pm, Nico Williams wrote:
On Tue, Apr 08, 2014 at 01:12:25PM -0400, Jonathan Thornburg wrote:
On Tue, Apr 08, 2014 at 11:46:49AM +0100, ianG wrote:
While everyone's madly rushing around to fix their bitsbobs, I'd
encouraged you all to be alert to any evidence of *damages*
On 8/04/2014 21:02 pm, tpb-cry...@laposte.net wrote:
You said you control a quite famous bug list.
Not me, you might be thinking of the other iang?
I should not ask this here, but considering the situation we found ourselves
regarding encryption infrastructure abuse from the part of US
we should probably stop keeping secrets on the internet. (snark snark)
marc
On Tue, Apr 8, 2014 at 3:17 PM, ianG i...@iang.org wrote:
On 8/04/2014 21:02 pm, tpb-cry...@laposte.net wrote:
You said you control a quite famous bug list.
Not me, you might be thinking of the other iang?
I
On 2014-04-09 00:48, Nico Williams wrote:
On Mon, Apr 07, 2014 at 11:02:50PM -0700, Edwin Chu wrote:
I am not openssl expert and here is just my observation.
[...]
Thanks for this analysis.
Sadly, a variable-sized heartbeat payload was probably necessary, at
least for the DTLS case: for PMTU
Hi
A latest story for OpenSSL
http://heartbleed.com/
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
cryptographic software library. This weakness allows stealing the
information protected, under normal conditions, by the SSL/TLS encryption
used to secure the Internet.
On 2014-04-07 17:53, Edwin Chu wrote:
Hi
A latest story for OpenSSL
http://heartbleed.com/
ed
Already patched in Debian.
DSA 2896-1.
--
staticsafe
___
cryptography mailing list
cryptography@randombit.net
staticsafe m...@staticsafe.ca wrote:
On 2014-04-07 17:53, Edwin Chu wrote:
Hi
A latest story for OpenSSL
http://heartbleed.com/
ed
Already patched in Debian.
DSA 2896-1.
OK, but if you have the patches, should you still assume all your keys
may have been compromised and therefore
The git blame in a heartbeat:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
The big question is:
Seeing these diff lines, how does one reveal 64k of memory?
The first who codes is the first who posts.
22 matches
Mail list logo