Full Disclosure mailing list archives
Re: heartbleed OpenSSL bug CVE-2014-0160
From: Juergen Christoffel <jc () unser net>
Date: Fri, 11 Apr 2014 09:03:52 +0200
On Thu, Apr 10, 2014 at 11:32:21PM -0700, Paul Vixie wrote:
[...] really bruce? on a scale of doesn't-matter-at-all to worst-thing-you-could-have-previously-imagined, a read only exploit is even worse than that?
With all due respect to your ego Paul, I think you might under-estimate the long term effects: private keys get stolen, this allows people to play man-in-the-middle, people (the masses) will renew their certificates but might re-use their generated private keys because the don't know exactly what they are doing, etc. As the EFF's traces back into 2013 might tell us, some bad guys exploited this for some time now. If this is the case, we might soon arrive at the conclusion that we need to exchange all certificates which had been created in the last two years. While I hope it tends to your interpretation, I fear a bit that it might be Bruces in the long run. --jc -- A great many of today's security technologies are "secure" only because no-one has ever bothered attacking them. -- Peter Gutmann _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: heartbleed OpenSSL bug CVE-2014-0160, (continued)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ingo Schmitt (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Brandon Perry (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 David Tomaschik (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ivan .Heca (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Michal Zalewski (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Paul Vixie (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Paul Vixie (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ivan .Heca (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Brandon Perry (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Marco Davids (priv) (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Juergen Christoffel (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Paul Vixie (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Michal Zalewski (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ferenc Kovacs (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Manuel Tiago Pereira (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Schmidt, Michael (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Afonso Araújo Neto (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ingo Schmitt (Apr 10)
- Message not available
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ricardo Iramar dos Santos (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 HaCKsPy (Apr 11)
- Andrew "Weev" Auernheimer's Conviction Thrown Out g () 1337 io (Apr 11)
- Re: Andrew "Weev" Auernheimer's Conviction Thrown Out Jeffrey Paul (Apr 11)