[OTR-users] OTR and OpenSSL Heartbleed vulnerability?
Alex
alex323 at gmail.com
Wed Apr 16 17:20:05 EDT 2014
On Wed, 16 Apr 2014 21:32:23 +0100
Bernard Tyers - ei8fdb <ei8fdb at ei8fdb.org> wrote:
>
> On 9 Apr 2014, at 17:55, Ian Goldberg <ian at cypherpunks.ca> wrote:
>
> > OTR is a protocol. Different implementations of the protocol might
> > use different libraries. But it doesn't really matter what library
> > the OTR implementation uses; if a vulnerable openssl is used in
> > your IM client *at all*, you're vulnerable.
> >
> > The standard libotr uses libgcrypt, for the record.
>
> Hi Ian,
>
> Can you explain when where an IM client would use openssl in terms of
> OTR? I think I am misunderstanding the your comment.
>
> I’d like to know how IM clients (if any) could be affected, in terms
> of OTR, or file transfers, etc..
>
openssl is a library that provides cryptographic primitives which can
be used to build software that implements OTR. If an IM client used
openssl to implement OTR, it wouldn't be affected by the bug because
the bug exists in an extension to the *SSL* protocol as implemented by
openssl.
If your IM client used openssl to establish connections to (say)
SSL-enabled XMPP servers, your OTR keys in theory could be leaked
because the keys exist in the IM-client's memory, and that's what the
Heartbleed bug is able to dump.
--
Alex
More information about the OTR-users
mailing list