[OTR-users] OTR and OpenSSL Heartbleed vulnerability?
Ovnicraft
ovnicraft at gmail.com
Wed Apr 9 13:10:24 EDT 2014
On Wed, Apr 9, 2014 at 11:55 AM, Ian Goldberg <ian at cypherpunks.ca> wrote:
> On Wed, Apr 09, 2014 at 12:44:23PM -0400, dweezil wrote:
> > I've been looking over the web trying to find if OTR is susceptible to
> the
> > OpenSSL Heartbleed vulnerability and haven't found anything.
> >
> > Can anyone confirm or deny (with proof/examples would be awesome) whether
> > or not OTR is vulnerable? Does OTR use OpenSSL and if so, what version?
>
> OTR is a protocol. Different implementations of the protocol might use
> different libraries. But it doesn't really matter what library the OTR
> implementation uses; if a vulnerable openssl is used in your IM client
> *at all*, you're vulnerable.
>
> The standard libotr uses libgcrypt, for the record.
>
> All that said, the OTR *web server* at https://otr.cypherpunks.ca/ was
> indeed running a buggy openssl. The library has since been upgraded,
> the TLS certificate regenerated with fresh keys, and the old one
> revoked.
>
It clarified all about OTR *web server* about OTR implementation is clear
is not vulnerable.
Regards,
>
> - Ian
> _______________________________________________
> OTR-users mailing list
> OTR-users at lists.cypherpunks.ca
> http://lists.cypherpunks.ca/mailman/listinfo/otr-users
>
--
Cristian Salamea
@ovnicraft
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20140409/7d91bfe1/attachment.html>
More information about the OTR-users
mailing list