[Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

ianG iang at iang.org
Tue Apr 8 06:46:49 EDT 2014 

On 7/04/2014 22:53 pm, Edwin Chu wrote:
> Hi
> 
> A latest story for OpenSSL
> 
> http://heartbleed.com/
> 
>     The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
>     cryptographic software library. This weakness allows stealing the
>     information protected, under normal conditions, by the SSL/TLS
>     encryption used to secure the Internet. SSL/TLS provides
>     communication security and privacy over the Internet for
>     applications such as web, email, instant messaging (IM) and some
>     virtual private networks (VPNs).
> 
>     The Heartbleed bug allows anyone on the Internet to read the memory
>     of the systems protected by the vulnerable versions of the OpenSSL
>     software. This compromises the secret keys used to identify the
>     service providers and to encrypt the traffic, the names and
>     passwords of the users and the actual content. This allows attackers
>     to eavesdrop communications, steal data directly from the services
>     and users and to impersonate services and users.


We have here a rare case of a broad break in a security protocol leading
to compromise of keys.

While everyone's madly rushing around to fix their bits&bobs, I'd
encouraged you all to be alert to any evidence of *damages* either
anecdotally or more firm.  By damages, I mean (a) rework needed to
secure, and (b) actual breach into sites and theft of secrets, etc,
leading to (c) theft of property/money/value etc.

In risk analysis, we lean very heavily on firm indications of actual,
tangible damages, because risk analysis is an uncertain tool and the
security industry is a FUD-driven sector.  Where we have actual
experiences of lost money, time, destruction of property or whatever,
this puts us in a much better position to predict what is worth spending
money to protect.

E.g., if we cannot show any damages from this breach, it isn't worth
spending a penny on it to fix!  Yes, that's outrageous and will be
widely ignored ... but it is economically and scientifically sound, at
some level.

I maintain a risk history here: http://wiki.cacert.org/Risk/History for
the CA field, so if anyone can find any real damages effecting the CA
world, let me know!



iang

More information about the cryptography mailing list