[OTR-users] OTR and OpenSSL Heartbleed vulnerability?
Thijs Alkemade
me at thijsalkema.de
Wed Apr 9 13:04:27 EDT 2014
On 9 apr. 2014, at 18:44, dweezil <dw33z1l at gmail.com> wrote:
> I've been looking over the web trying to find if OTR is susceptible to the OpenSSL Heartbleed vulnerability and haven't found anything.
>
> Can anyone confirm or deny (with proof/examples would be awesome) whether or not OTR is vulnerable? Does OTR use OpenSSL and if so, what version?
Pidgin-OTR uses libgcrypt to implement its cryptographic operations. Pidgin
itself also does not use OpenSSL.
Even if another OTR implementation would use OpenSSL for its cryptographic
primitives (not that I know of any), the heartbleed bug is so TLS specific
that it’s very unlikely that that implementation would be vulnerable.
However, other IM clients that do use OpenSSL to implement TLS might have
leaked your OTR private keys and your decrypted messages to a malicious server
due to the heartbleed bug.
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20140409/45d2eb3b/attachment.pgp>
More information about the OTR-users
mailing list