[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

To: cypherpunks@xxxxxxxxxx
Subject: Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
From: grarpamp <grarpamp@xxxxxxxxx>
Date: Fri, 11 Apr 2014 18:48:11 -0400
Cc: tor-talk@xxxxxxxxxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 11 Apr 2014 18:56:57 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WTONfo5FZyslhvB7G0+A9gWcgKnQILN+LHT4pxVzOKQ=; b=K54T0/nRMNs1oEfPS9TMnusauCHTHJqHy5+Gdf6eO8X5fTIOOX+5zwY/YKh4q75xi4 A98eO03DUSW0/GDw3ROITfcyEh5Yp8/t1uCzpLd/UZ0ru+q0pvSd3ktFANFkLZKj2UyX cHPWXJuyVCpVDmp/7yZwMTEaEX2l/jDxkEuMtkFO7wGFWTSfY2mHa4p3bKs8buW9vdjI bHnJm4iUnhFjaIE33+pB3A/Kq5M3xKwnuXhpAp4Fr3axuPQJIP6ck159XrSE+jd2tbMR 8IlBUoRcQl6mOvQ0Q4R6FLK0GD48TA8v6aczDrFc8ZtAUCtH8MHSJaHD6S4ZKHS9GMsI mCdQ==
In-reply-to: <a0b6e734-6370-49da-9e90-0bf3a5ffa715@xxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CAD2Ti2_tOpe+gvwqwr3G91jnFw8T=ihsaEYsB53+6iDh8reEwQ@xxxxxxxxxxxxxx> <20140411031512.1B3E12280F8@xxxxxxxxxxxxxxxxx> <149518711.83101.1397221629681.JavaMail.www@wwinf8224> <a0b6e734-6370-49da-9e90-0bf3a5ffa715@xxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On Fri, Apr 11, 2014 at 9:37 AM, Cathal Garvey (Phone)
<cathalgarvey@xxxxxxxxxxxxxxx> wrote:
> It'd be hard to hide an insertion if the devs all dig into the hashes of
> commits of their own local repos and compare, right? Even a broken hash
> would require changing input, so they could go an extra step and verify each
> commit using another hash algo, if they were feeling super-paranoid.

The detection would often occur with a scrub type of
routine maintenance check or automatically depending
on the system.

And unfortunately there are many critical repos that
essentially refuse to move to a revcontrol system that
employs signable hashes/merkle such that a cracked
repo or even bitrot could be detected. Often out of such
non claims [1] as workflow and effort to switch. FreeBSD
is an example of such a key repo.

http://www.git-scm.com/
http://www.git-scm.com/about/distributed

[1] Considering potential the core-outwards architectural
integrity benefits, among others.

>> This article makes an interesting point, we got to dig a bit more from our
>> pockets:
>>
>> http://www.wired.com/2014/04/heartbleedslesson/
>>
>> The second point I wish to make is the surprise by which the original
>> developer took the issue. Maybe, just maybe, he did not create that flaw
>> at all.
>>
>> It could have been inserted into the OpenSSL repository through a backdoor
>> ... or why would the spies by so interested in hacking professors that deal
>> with crypto and whose word is trusted by the masses? Like they did to a
>> Belgian cryptographer? Was that fellow nerd a turrist of sorts?
>>
>> It may be possible that Segelmann did his job correctly, that the reviewer
>> did his job correctly, but someone unknown may have changed it just a little
>> bit before delivery.
>>
>>
>> Besides funding projects like OpenSSL better, we should start considering
>> the security of the repositories themselves.
>>
>> What ya fellow coders think?
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
  - From: grarpamp

Prev by Author: [tor-talk] WebSockets [was: DNS leak in FF 27.0? (Bitcoin)]
Next by Author: Re: [tor-talk] Tor hidden services not working
Previous by thread: Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Next by thread: Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Index(es):
- Author
- Thread