<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 9, 2014 at 11:55 AM, Ian Goldberg <span dir="ltr"><<a href="mailto:ian@cypherpunks.ca" target="_blank">ian@cypherpunks.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Wed, Apr 09, 2014 at 12:44:23PM -0400, dweezil wrote:<br>
> I've been looking over the web trying to find if OTR is susceptible to the<br>
> OpenSSL Heartbleed vulnerability and haven't found anything.<br>
><br>
> Can anyone confirm or deny (with proof/examples would be awesome) whether<br>
> or not OTR is vulnerable? Does OTR use OpenSSL and if so, what version?<br>
<br>
</div>OTR is a protocol. Different implementations of the protocol might use<br>
different libraries. But it doesn't really matter what library the OTR<br>
implementation uses; if a vulnerable openssl is used in your IM client<br>
*at all*, you're vulnerable.<br>
<br>
The standard libotr uses libgcrypt, for the record.<br>
<br>
All that said, the OTR *web server* at <a href="https://otr.cypherpunks.ca/" target="_blank">https://otr.cypherpunks.ca/</a> was<br>
indeed running a buggy openssl. The library has since been upgraded,<br>
the TLS certificate regenerated with fresh keys, and the old one<br>
revoked.<br></blockquote><div><br></div><div>It clarified all about OTR *web server* about OTR implementation is clear is not vulnerable.</div><div><br></div><div>Regards, <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
- Ian<br>
_______________________________________________<br>
OTR-users mailing list<br>
<a href="mailto:OTR-users@lists.cypherpunks.ca">OTR-users@lists.cypherpunks.ca</a><br>
<a href="http://lists.cypherpunks.ca/mailman/listinfo/otr-users" target="_blank">http://lists.cypherpunks.ca/mailman/listinfo/otr-users</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Cristian Salamea<br>@ovnicraft
</div></div>