[OTR-users] OTR and OpenSSL Heartbleed vulnerability?

[Bernard Tyers - ei8fdb]

On 16 Apr 2014, at 22:29, Ximin Luo <infinity0 at pwned.gg> wrote:

> To complement the other replies, here is a bit more technical background:
> 
> If an IM-client process includes openssl code (not for OTR but e.g. to support other protocols), an attacker can cause the bad heartbleed code to be run so that it reads OTR's private data, assuming it is stored in the same process. This is the case for libotr - when a program “uses libotr”, this usually means "it loads libotr code into the process".

Thanks for the explanation. Like I mentioned would the OTR secret keys be identifiable as such, or would it be “something that looked like a secret key”?

> One can imagine designs where different data are stored in different sub-processes. 

Hence, Daniel’s mention of “an out-of-process cryptographic agent” I presume?

>  It’s quite awkward to do though, but potentially libotr could follow this route, at some significant engineering cost.

Is it likely that this seperation of cryptographic processes is needed for forseeable security issues? Asked another way (he says with his tongue in his cheek) is an exploit like this Heartbleed likely to occur again?

Thanks,
Bernard

--------------------------------------
Bernard / bluboxthief / ei8fdb

If you’d like to get in touch, please do: http://me.ei8fdb.org/




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20140416/e6739926/attachment.pgp>