[Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
ianG
iang at iang.org
Tue Apr 8 06:46:49 EDT 2014
On 7/04/2014 22:53 pm, Edwin Chu wrote:
> Hi
>
> A latest story for OpenSSL
>
> http://heartbleed.com/
>
> The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
> cryptographic software library. This weakness allows stealing the
> information protected, under normal conditions, by the SSL/TLS
> encryption used to secure the Internet. SSL/TLS provides
> communication security and privacy over the Internet for
> applications such as web, email, instant messaging (IM) and some
> virtual private networks (VPNs).
>
> The Heartbleed bug allows anyone on the Internet to read the memory
> of the systems protected by the vulnerable versions of the OpenSSL
> software. This compromises the secret keys used to identify the
> service providers and to encrypt the traffic, the names and
> passwords of the users and the actual content. This allows attackers
> to eavesdrop communications, steal data directly from the services
> and users and to impersonate services and users.
We have here a rare case of a broad break in a security protocol leading
to compromise of keys.
While everyone's madly rushing around to fix their bits&bobs, I'd
encouraged you all to be alert to any evidence of *damages* either
anecdotally or more firm. By damages, I mean (a) rework needed to
secure, and (b) actual breach into sites and theft of secrets, etc,
leading to (c) theft of property/money/value etc.
In risk analysis, we lean very heavily on firm indications of actual,
tangible damages, because risk analysis is an uncertain tool and the
security industry is a FUD-driven sector. Where we have actual
experiences of lost money, time, destruction of property or whatever,
this puts us in a much better position to predict what is worth spending
money to protect.
E.g., if we cannot show any damages from this breach, it isn't worth
spending a penny on it to fix! Yes, that's outrageous and will be
widely ignored ... but it is economically and scientifically sound, at
some level.
I maintain a risk history here: http://wiki.cacert.org/Risk/History for
the CA field, so if anyone can find any real damages effecting the CA
world, let me know!
iang
More information about the cryptography
mailing list