2014-04-09 20:51 GMT+02:00 Paul Pearce <pea...@cs.berkeley.edu>: > > * Should authorities scan for bad OpenSSL versions and force their weight > > down to 20? > > I'd be interested in hearing people's thoughts on how to do such > scanning ethically (and perhaps legally). I was under the impression > the only way to do this right now is to actually trigger the bounds > bug and export some quantity (at least 1 byte) of memory from the > vulnerable machine. >
Considering the consequences of having (a lot of) vulnerable machines in the network, wouldn't it be unethical NOT to do such kind of testing? I mean, basically every vulnerable relay endangers its users by making it possible to decrypt their communications. I strongly feel that the benefits (securing the network) outweigh the costs (exploiting the vulnerable machines and reading 1 byte of memory, but discarding them). Especially seeing that anybody would be able to perform the exploit, I don't see moral problems in such an aproach. How this works out legally I of course have no idea.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
