On 4/10/2014 3:16 AM, Fabio Pietrosanti (naif) wrote:
I didn't read of private keys actually being stolen, only that it was a possibility. Many patched software bugs are never exploited maliciously, but it's still necessary to patch them.Hi, are we really sure that the "private keys" are being compromised due to the heartbleed attack? I see many people upgrading, that's OK, but then i see many people changing private keys. I read here that's very unlikley that a private key can be retrieved: http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
I've slept since reading OpenSSL.org's advisory, but seems they reported that stealing private keys was possible; not that everyone trying it would be successful. It's unlikely they'd release exact steps how to exploit it. It was also reported that exploits of this bug wouldn't / likely wouldn't leave any trace of the activity.
Any business that has *isolated* incidents of exploits for any bug probably won't go straight to the press, risking massive loss of consumer confidence over a few people being affected. For this, it could take some time before exploits are ever reported, if ever (by businesses).
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk