Hi, are we really sure that the "private keys" are being compromised due to the heartbleed attack?
I see many people upgrading, that's OK, but then i see many people changing private keys. I read here that's very unlikley that a private key can be retrieved: http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html Here there's the list of PoC/Exploits: https://blog.bugcrowd.com/heartbleed-exploit-yet/ I read of several people that tried deeply the exploits but wasn't able to recover the private key in any case. The only occurence of private-key disclosure that i read related to FreeBSD, on Twitter: https://twitter.com/1njected/status/453781230593769472 The same person say that on Linux he wasn't able to retrieve the private key. So, before going into this urgent rush of private key changing, can we assess deeply and technically in which context the private key disclosure effectively exists? In which "software / operating system" pair does the private key disclosure is an effect of the vulnerability? On which "software / operating system" pair is not technically exploitable, so the private keys has to be considered safe? Maybe Linux is immune to private key dislcosure but FreeBSD is not? -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
