Re^6: Should I recompile SSL CPAN modules now?

To be clear, the heartbleed bug has nothing to do with key size directly. It has to do with using an internal allocator with a buggy LIFO rather than the system malloc() and then trusting user input over calculable data. The only thing that might help with having a longer key is that it might be slightly less likely to fit into the problem memory read into past the end of working data, but multiple 64k chunks could be read back by exploiting this bug.

Comment on Re^6: Should I recompile SSL CPAN modules now?

Replies are listed 'Best First'.
Re^7: Should I recompile SSL CPAN modules now? by zentara (Cardinal) on Apr 11, 2014 at 10:07 UTC
To be clear Thanks for explaining that. My point about people suspecting 128 bit encryption being cracked was misleading. Using the term cracked connotes that the government had a mathematically fast way to get decryption without the private key. In that case, the larger the key size would matter. However, as one security expert says, there are more than one way to crack an encryption system. In this case, the government lucked out, and some bad code allowed it to appear they mathematically cracked the encryption, with quantuum computing or whatever. Where in actuality, they were sneaky key-thiefs. While listening to a panel discussion on security on the radio, a panel which included the man wrote wrote PgP, Phil himself; someone asked if the current versions of public key encryption was mathematically sound. They all said yes, but when asked if any of them had been approached by the government for assistence in hacking their programs, they declined to answer. That silence tells alot. I'm not really a human, but I play one on earth. Old Perl Programmer Haiku ................... flash japh	[reply]

Replies are listed 'Best First'.

Re^7: Should I recompile SSL CPAN modules now?
by zentara (Cardinal) on Apr 11, 2014 at 10:07 UTC

To be clear

Thanks for explaining that. My point about people suspecting 128 bit encryption being cracked was misleading. Using the term cracked connotes that the government had a mathematically fast way to get decryption without the private key. In that case, the larger the key size would matter.

However, as one security expert says, there are more than one way to crack an encryption system. In this case, the government lucked out, and some bad code allowed it to appear they mathematically cracked the encryption, with quantuum computing or whatever. Where in actuality, they were sneaky key-thiefs.

While listening to a panel discussion on security on the radio, a panel which included the man wrote wrote PgP, Phil himself; someone asked if the current versions of public key encryption was mathematically sound. They all said yes, but when asked if any of them had been approached by the government for assistence in hacking their programs, they declined to answer. That silence tells alot.

I'm not really a human, but I play one on earth.
Old Perl Programmer Haiku ................... flash japh

[reply]