[OTR-users] OTR and OpenSSL Heartbleed vulnerability?
Ian Goldberg
ian at cypherpunks.ca
Wed Apr 9 12:55:53 EDT 2014
On Wed, Apr 09, 2014 at 12:44:23PM -0400, dweezil wrote:
> I've been looking over the web trying to find if OTR is susceptible to the
> OpenSSL Heartbleed vulnerability and haven't found anything.
>
> Can anyone confirm or deny (with proof/examples would be awesome) whether
> or not OTR is vulnerable? Does OTR use OpenSSL and if so, what version?
OTR is a protocol. Different implementations of the protocol might use
different libraries. But it doesn't really matter what library the OTR
implementation uses; if a vulnerable openssl is used in your IM client
*at all*, you're vulnerable.
The standard libotr uses libgcrypt, for the record.
All that said, the OTR *web server* at https://otr.cypherpunks.ca/ was
indeed running a buggy openssl. The library has since been upgraded,
the TLS certificate regenerated with fresh keys, and the old one
revoked.
- Ian
More information about the OTR-users
mailing list