[Cryptography] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Nico Williams
nico at cryptonector.com
Tue Apr 8 15:33:42 EDT 2014
On Tue, Apr 08, 2014 at 01:12:25PM -0400, Jonathan Thornburg wrote:
> On Tue, Apr 08, 2014 at 11:46:49AM +0100, ianG wrote:
> > While everyone's madly rushing around to fix their bits&bobs, I'd
> > encouraged you all to be alert to any evidence of *damages* either
> > anecdotally or more firm. By damages, I mean (a) rework needed to
> > secure, and (b) actual breach into sites and theft of secrets, etc,
> > leading to (c) theft of property/money/value etc.
> >
> [[...]]
> >
> > E.g., if we cannot show any damages from this breach, it isn't worth
> > spending a penny on it to fix!
>
> This analysis appears to say that it's not worth spending money to
> fix a hole (bug) unless either money has already been spent or damages
> have *already* occured. This ignores possible or probable (or even
> certain!) *future* damages if no rework has yet happened.
The first part (gather data) is OK. The second I thought was said
facetiously. It is flawed, indeed, but it's also true that people have
a hard time weighing intangibles.
I don't know how we can measure anything here. How do you know if your
private keys were stolen via this bug? It should be possible to
establish whether key theft was feasible, but establishing whether they
were stolen might require evidence of use of stolen keys, and that might
be very difficult to come by. We shouldn't wait for evidence of use of
stolen keys!
Nico
--
More information about the cryptography
mailing list