[OTR-users] OTR and OpenSSL Heartbleed vulnerability?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Apr 16 17:14:09 EDT 2014 

On 04/16/2014 04:32 PM, Bernard Tyers - ei8fdb wrote:

> Can you explain when where an IM client would use openssl in terms of OTR? I think I am misunderstanding the your comment. 
> 
> I’d like to know how IM clients (if any) could be affected, in terms of OTR, or file transfers, etc..


I use IRSSI as an XMPP and IRC client.  it uses openssl to connect to
those IRC and XMPP servers that use TLS.  It also has an OTR plugin,
which uses gcrypt for the crypto.  The plugin is a shared object, which
means it loads and runs code in the main IRSSI process.

If the client's connection to an IRC or XMPP server fails, it tries to
reconnect automatically.

here's what an attacker in control of the network would do to get my OTR
key:

 * send a TCP RST to cause an existing IRC or XMPP connection to fail

 * when the client tries to reconnect, it tries to make a TLS handshake
with the remote server; the attacker handles this connection

 * during the TLS handshake phase, the client is vulnerable to the
server, which may itself send heartbeat messages, including malicious
ones.  this can happen even before the server is authenticated.

 * the attacker delays completion of the TLS handshake, but instead
sends malicious heartbeat messages.

 * IRSSI spits out chunks of memory to the attacker

 * this memory may include my OTR secret keys.

libOTR  would have been able to protect secret keys against this attack
if it could talk to an out-of-process cryptographic agent for anything
that deals with long-term key material (though of course the rest of the
memory of the irssi process, including backlogs and ephemeral keys and
all sorts of other juicy data is still vulnerable).  As far as i know,
no work has been done on using an out-of-process cryptographic agent for
libotr.

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20140416/73d7df6b/attachment.pgp>

More information about the OTR-users mailing list