[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Private keys at risk due to HeartBleed: Are we sure?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Private keys at risk due to HeartBleed: Are we sure?
From: "Fabio Pietrosanti (naif)" <lists@xxxxxxxxxxxxxxx>
Date: Thu, 10 Apr 2014 10:16:46 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 10 Apr 2014 04:27:31 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0

Hi,

are we really sure that the "private keys" are being compromised due to
the heartbleed attack?

I see many people upgrading, that's OK, but then i see many people
changing private keys.

I read here that's very unlikley that a private key can be retrieved:
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

Here there's the list of PoC/Exploits:
https://blog.bugcrowd.com/heartbleed-exploit-yet/

I read of several people that tried deeply the exploits but wasn't able
to recover the private key in any case.

The only occurence of private-key disclosure that i read related to
FreeBSD, on Twitter:
https://twitter.com/1njected/status/453781230593769472

The same person say that on Linux he wasn't able to retrieve the private
key.

So, before going into this urgent rush of private key changing, can we
assess deeply and technically in which context the private key
disclosure effectively exists?

In which "software / operating system" pair does the private key
disclosure is an effect of the vulnerability?

On which "software / operating system" pair is not technically
exploitable, so the private keys has to be considered safe?

Maybe Linux is immune to private key dislcosure but FreeBSD is not?

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Private keys at risk due to HeartBleed: Are we sure?
  - From: Joe Btfsplk

Prev by Author: Re: [tor-talk] Disabling the warning for self signed certificates in Tor Browser
Next by Author: [tor-talk] Time synchronisation
Previous by thread: Re: [tor-talk] strange behavior of Tor Browser on Windows 8.1
Next by thread: Re: [tor-talk] Private keys at risk due to HeartBleed: Are we sure?
Index(es):
- Author
- Thread