[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: My Assessment of the Heartbleed OpenSSL bug and LedgerSMB

On 11/04/14 09:41, ario wrote:
> On Thu, 10 Apr 2014 19:04:27 +0200
> Pongrácz István <..hidden..> wrote:
> 
>> > What if they implemented this "feature" to be able to get information
>> > without trace? :)))) 
> Then they would have succeeded spectacularly with us thinking "there is
> a bug" in OpenSSL.
> 
> My preferred beckup encryption scheme still would be the One Time Pad
> (OTP) as it seems really unbreakable, if it were not for the recurrency
> in the problem of: "Where do I backup the OTP itself, and how do I
> encrypt it?"
> 

Heartbleed isn't a problem with the encryption though; the encryption
didn't get broken. Any protocol could probably potentially suffer from a
buffer overflow due to a bug in the software. Given this one leaked info
from the server process, who's to say it wouldn't leak your one-time pad?

Richard


------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Ledger-smb-users mailing list
..hidden..
https://lists.sourceforge.net/lists/listinfo/ledger-smb-users