On Monday, May 27, 2019, Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Mon, May 27, 2019 at 06:06:42AM +0300, Ryan Sleevi wrote:
> > On Mon, May 27, 2019 at 4:34 AM Matt Palmer via dev-security-policy <
> > dev-security-policy@lists.mozilla.org> wrote:
>
On Mon, May 27, 2019 at 06:06:42AM +0300, Ryan Sleevi wrote:
> On Mon, May 27, 2019 at 4:34 AM Matt Palmer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> > That sounds an *awful* lot like Heartbleed: "a [...] proven method that
> > exposes the Subscriber's Private Key
On Mon, May 27, 2019 at 4:34 AM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi everyone,
>
> In pondering ways of getting yet more keys for pwnedkeys.com, my mind
> turned
> to everyone's favourite bug, Heartbleed. Whilst hitting all the vulnerable
>
If malloc() is correctly implemented, private keys are secure from Heartbleed.
So
I think it doesn't meet the criteria. CAs can't revoke a certificate without
noticing
subscriber in advance.
But if any bugs found in future which can retrieve private keys from TLS
endpoints,
you can just use
Hi everyone,
In pondering ways of getting yet more keys for pwnedkeys.com, my mind turned
to everyone's favourite bug, Heartbleed. Whilst hitting all the vulnerable
servers and pulling their keys is eminently possible (see, as just one
example, https://github.com/robertdavidgraham/heartleech), I
5 matches
Mail list logo
