[Ach] heartbleed -- some background...

L. Aaron Kaplan aaron at lo-res.org
Fri Apr 11 12:11:54 CEST 2014


Hi Adi,

Thanks very much for sharing this link.

On Apr 9, 2014, at 4:15 PM, Adi Kriegisch <adi at kriegisch.at> wrote:

> Hey!
> 
> I just stumbled across a mail from Theo de Raadt[1] that gives some
> insights on why there are no segfaults and why you'll always get 64K of
> highly sensitive information:
> The OpenSSL guys implemented their own malloc and free wrappers that
> allocate 64K mem chunks on all platforms to work around certain slower (but
> safer) implementations on some (OpenBSD) platforms.
> 
> It could be a good idea to add that incident to the introduction of our
> paper in a way that more clearly states that this paper only deals with
> crypto which does not mean you are safe. It just covers one (single) aspect
> of security in a pretty long chain. And as always: the weakest link
> decides...

Agreed. We already have a long disclaimer list at the beginning.
But, it does not harm to add this to our disclaimers.

I'd also like to propose to have a small section on heartbleed... at *least* on the web page.

Hopefully this heartbleeding will stop soon and I can get around to working more on bettercrypto again.

> 
> -- Adi
> 
> [1] http://article.gmane.org/gmane.os.openbsd.misc/211963
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140411/977afebe/attachment.sig>


More information about the Ach mailing list