[OTR-users] OTR and OpenSSL Heartbleed vulnerability?

Paul Wouters paul at cypherpunks.ca
Sat Apr 19 12:04:00 EDT 2014


On Wed, 16 Apr 2014, Ovnicraft wrote:

> Can you explain when where an IM client would use openssl in terms of OTR? I think I am
> misunderstanding the your comment.

For instance connecting to a XMPP/jabber server over TLS.

> In terms of OTR you are not, so if your  IM client use openssl to any implementation (following Ian comment)
> your are vulnerable.

As apparently TLS clients are also vulnerable, and the TLS/openssl code
runs in the same program memory as OTR, I would expect it to be
vulnerable.

Paul



More information about the OTR-users mailing list