[Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Tom Mitchell
mitch at niftyegg.com
Tue Apr 8 18:32:11 EDT 2014
On Tue, Apr 8, 2014 at 10:12 AM, Jonathan Thornburg <
jthorn at astro.indiana.edu> wrote:
> On Tue, Apr 08, 2014 at 11:46:49AM +0100, ianG wrote:
> > While everyone's madly rushing around to fix their bits&bobs, I'd
> > encouraged you all to be alert to any evidence of *damages*
>
> [[...]]
> >
> > E.g., if we cannot show any damages from this breach, it isn't worth
> > spending a penny on it to fix!
>
> This analysis appears to say that it's not worth spending money to
> fix a hole (bug) unless either money has already been spent or damages
> have *already* occured.
>
May I add that the analysis must take into account the ability
to detect an exploit and the value of the exploit over time.
This might be very hard to detect.
To me the bigger you are or more interesting you are the
more important it is to fix. Time makes exploited data like
a public key a risk for the life of the key and perhaps longer.
This one is especially nasty in that it may have exposed any
data visible to the ssl-bug compromised process. In the case of
a private key escape the ability to detect future abuse is near zero.
Fixing this is important. Less so for me but astoundingly so
for any host that a CSS might pull from or any host that transacts
money. To some degree this is a two end problem so both
ends need to be aware.
I will be installing patched code as quickly as it shows up.
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140408/caa09cca/attachment.html>
More information about the cryptography
mailing list