[tor-talk] Private keys at risk due to HeartBleed: Are we sure?
Joe Btfsplk
joebtfsplk at gmx.com
Thu Apr 10 15:00:50 UTC 2014
On 4/10/2014 3:16 AM, Fabio Pietrosanti (naif) wrote:
> Hi,
>
> are we really sure that the "private keys" are being compromised due to
> the heartbleed attack?
>
> I see many people upgrading, that's OK, but then i see many people
> changing private keys.
>
> I read here that's very unlikley that a private key can be retrieved:
> http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
>
I didn't read of private keys actually being stolen, only that it was a
possibility.
Many patched software bugs are never exploited maliciously, but it's
still necessary to patch them.
I've slept since reading OpenSSL.org's advisory, but seems they reported
that stealing private keys was possible;
not that everyone trying it would be successful. It's unlikely they'd
release exact steps how to exploit it.
It was also reported that exploits of this bug wouldn't / likely
wouldn't leave any trace of the activity.
Any business that has *isolated* incidents of exploits for any bug
probably won't go straight to the press, risking massive loss of
consumer confidence over a few people being affected.
For this, it could take some time before exploits are ever reported, if
ever (by businesses).
More information about the tor-talk
mailing list