On 7/04/2014 22:53 pm, Edwin Chu wrote: > Hi > > A latest story for OpenSSL > > http://heartbleed.com/ > > The Heartbleed Bug is a serious vulnerability in the popular OpenSSL > cryptographic software library. This weakness allows stealing the > information protected, under normal conditions, by the SSL/TLS > encryption used to secure the Internet. SSL/TLS provides > communication security and privacy over the Internet for > applications such as web, email, instant messaging (IM) and some > virtual private networks (VPNs). > > The Heartbleed bug allows anyone on the Internet to read the memory > of the systems protected by the vulnerable versions of the OpenSSL > software. This compromises the secret keys used to identify the > service providers and to encrypt the traffic, the names and > passwords of the users and the actual content. This allows attackers > to eavesdrop communications, steal data directly from the services > and users and to impersonate services and users.
We have here a rare case of a broad break in a security protocol leading to compromise of keys. While everyone's madly rushing around to fix their bits&bobs, I'd encouraged you all to be alert to any evidence of *damages* either anecdotally or more firm. By damages, I mean (a) rework needed to secure, and (b) actual breach into sites and theft of secrets, etc, leading to (c) theft of property/money/value etc. In risk analysis, we lean very heavily on firm indications of actual, tangible damages, because risk analysis is an uncertain tool and the security industry is a FUD-driven sector. Where we have actual experiences of lost money, time, destruction of property or whatever, this puts us in a much better position to predict what is worth spending money to protect. E.g., if we cannot show any damages from this breach, it isn't worth spending a penny on it to fix! Yes, that's outrageous and will be widely ignored ... but it is economically and scientifically sound, at some level. I maintain a risk history here: http://wiki.cacert.org/Risk/History for the CA field, so if anyone can find any real damages effecting the CA world, let me know! iang _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
