Access to www.gnupg.org only via TLS
David Shaw
dshaw at jabberwocky.com
Wed Apr 30 22:26:09 CEST 2014
On Apr 30, 2014, at 3:23 PM, Doug Barton <dougb at dougbarton.us> wrote:
> ... your whole premise seems to be invalid as there is no clear evidence at this time (that I'm aware of, and I've been paying attention) that any actual secret keys have been compromised by Heartbleed. It was listed as a potential risk when the vulnerability was first announced, but several groups have done research on that specific point and have found that it would be sufficiently difficult, if not actually impossible; to render this particular risk as negligible at best.
There were questions early on whether grabbing secret keys was possible via Heartbleed or not. Since then, it's been proven that it is definitely possible. At least one company set up a server and invited people to try and steal the secret key via Heartbleed. It took less than a day:
http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge
Here's a program that automates the process. Just run it and wait:
http://blog.erratasec.com/2014/04/cloudflare-challenge-writeup.html
I can't speak to whether actual (meaning "not example keys put there for the purpose of stealing") secret keys have been compromised by Heartbleed, but it's definitely not impossible (or all that difficult now that someone has done the hard part - just start a script and walk away).
David
More information about the Gnupg-users
mailing list