[tor-talk] Private keys at risk due to HeartBleed: Are we sure?
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Thu Apr 10 08:16:46 UTC 2014
Hi,
are we really sure that the "private keys" are being compromised due to
the heartbleed attack?
I see many people upgrading, that's OK, but then i see many people
changing private keys.
I read here that's very unlikley that a private key can be retrieved:
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
Here there's the list of PoC/Exploits:
https://blog.bugcrowd.com/heartbleed-exploit-yet/
I read of several people that tried deeply the exploits but wasn't able
to recover the private key in any case.
The only occurence of private-key disclosure that i read related to
FreeBSD, on Twitter:
https://twitter.com/1njected/status/453781230593769472
The same person say that on Linux he wasn't able to retrieve the private
key.
So, before going into this urgent rush of private key changing, can we
assess deeply and technically in which context the private key
disclosure effectively exists?
In which "software / operating system" pair does the private key
disclosure is an effect of the vulnerability?
On which "software / operating system" pair is not technically
exploitable, so the private keys has to be considered safe?
Maybe Linux is immune to private key dislcosure but FreeBSD is not?
--
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org
More information about the tor-talk
mailing list