Heartbleed attack on Openssl

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Apr 10 01:34:44 CEST 2014


On 04/09/2014 07:20 PM, Robert J. Hansen wrote:

> No, it does not.  Nor does Chrome.

Chromium (from which chrome is based) actually embeds a copy of openssl,
but doesn't use it for its TLS implementation, which is where the bug
would be triggered.  (i'm not sure why they do this embedding actually,
i haven't reviewed it).

>> 3) How about Ubuntu and other OSs? Do they use openssl to update
>> themselves? (as in "apt-get update && apt-get upgrade").
> 
> Usually not.  Repositories are normally accessed via HTTP, not HTTPS.

even if they were accessed via https, this bug wouldn't have caused any
problem greater than a malicious attacker on the network being able to
see what packages you were downloading, and/or making you fetch an older
version of the repo you're looking at (or giving you "this repository
can't be authenticated" warnings).  This is the same situation you're in
when you download via HTTP, though, so it's not a big deal in this context.

Your software updates for apt and yum are secured by OpenPGP signatures
over the archives themselves, which are made (for responsible
repositories anyway) via secret keys that aren't exposed to the web
servers that host the archives.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140409/e279482a/attachment.sig>


More information about the Gnupg-users mailing list