[Cryptography] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

ianG iang at iang.org
Tue Apr 8 16:10:33 EDT 2014 

On 8/04/2014 20:33 pm, Nico Williams wrote:
> On Tue, Apr 08, 2014 at 01:12:25PM -0400, Jonathan Thornburg wrote:
>> On Tue, Apr 08, 2014 at 11:46:49AM +0100, ianG wrote:
>>> While everyone's madly rushing around to fix their bits&bobs, I'd
>>> encouraged you all to be alert to any evidence of *damages* either
>>> anecdotally or more firm.  By damages, I mean (a) rework needed to
>>> secure, and (b) actual breach into sites and theft of secrets, etc,
>>> leading to (c) theft of property/money/value etc.
>>>
>> [[...]]
>>>
>>> E.g., if we cannot show any damages from this breach, it isn't worth
>>> spending a penny on it to fix!
>>
>> This analysis appears to say that it's not worth spending money to
>> fix a hole (bug) unless either money has already been spent or damages
>> have *already* occured.  This ignores possible or probable (or even
>> certain!) *future* damages if no rework has yet happened.
> 
> The first part (gather data) is OK.  The second I thought was said
> facetiously.  It is flawed, indeed, but it's also true that people have
> a hard time weighing intangibles.


Right, exactly.  Thought experiment.


> I don't know how we can measure anything here.  How do you know if your
> private keys were stolen via this bug?  It should be possible to
> establish whether key theft was feasible, but establishing whether they
> were stolen might require evidence of use of stolen keys, and that might
> be very difficult to come by.


Precisely, that is the question.  What happens if we wait a year and
nothing .. happens?

What happened with the Debian random plonk?  Nothing, that I ever saw in
terms of measurable damages.  The BEAST thing?  Twitter, was it?

What happened with PKI?  We (I) watched and watched and watched ... and
it wasn't until about 2011 that something finally popped up that was a
measurable incident of damages, 512bit RSA keys being crunched from memory.

That's 16 years!  Does that mean (a) PKI was so good that it clobbered
all attacks, or (b) PKI was so unnecessary because there was nobody
interested in attacks?

Dan Geer once said on this list [0]:

    "The design goal for any security system is that the number of
failures is small but non-zero, i.e., N>0. If the number of failures is
zero, there is no way to disambiguate good luck from spending too much.
Calibration requires differing outcomes."

We now have what amounts to a *fantastic* opportunity <ghoulish laugh>
to clarify delta.  We've got a system wide breach, huge statistics, and
it's identifiable in terms of which servers are vulnerable.

Hypothesize:  Let the number of attacked servers be 1% of population of
vulnerable servers.  Let our detection rate be 1%.  Multiply.  That
means 1 in 10,000 attacked servers.  Let's say we have 1m vulnerable
servers.

We should detect 100 attacks over the next period.

We should detect something!


> We shouldn't wait for evidence of use of
> stolen keys!


(Well, right.  I doubt we can actually tell anyone to wait.)

> Nico




iang



[0] http://financialcryptography.com/mt/archives/001255.html

More information about the cryptography mailing list