[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Private keys at risk due to HeartBleed: Are we sure?

On 4/10/2014 3:16 AM, Fabio Pietrosanti (naif) wrote:

are we really sure that the "private keys" are being compromised due to
the heartbleed attack?

I see many people upgrading, that's OK, but then i see many people
changing private keys.

I read here that's very unlikley that a private key can be retrieved:

I didn't read of private keys actually being stolen, only that it was a possibility. Many patched software bugs are never exploited maliciously, but it's still necessary to patch them.

I've slept since reading OpenSSL.org's advisory, but seems they reported that stealing private keys was possible; not that everyone trying it would be successful. It's unlikely they'd release exact steps how to exploit it. It was also reported that exploits of this bug wouldn't / likely wouldn't leave any trace of the activity.

Any business that has *isolated* incidents of exploits for any bug probably won't go straight to the press, risking massive loss of consumer confidence over a few people being affected. For this, it could take some time before exploits are ever reported, if ever (by businesses).
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to