* Jeremie Marguerie <jere...@marguerie.org> [140409 15:28]: > Yes the private keys can be compromised, but the perfect secrecy > should ensure that unless someone was doing an active MITM and had the > private key, the communications were safe.
As the communication was part of the data transported with the ssl library those communication might have also been read via the vulnerability in question. The only think PFS gives you is that someone recording the encrypted traffic (i.e. being able to control some router between you and that host) and getting the private key (e.g. via this vulnerability) would not be able to decrypt this data (unless of course there is weak randomness on one of the two sides, in which case PFS as implemented in SSL does not even need you to get the private key). While the vulnerability means that anyone could have read data running over this server by just being able to open a tcp connection there, without any wiretapping, man in the middle or anything else special. Bernhard R. Link -- F8AC 04D5 0B9B 064B 3383 C3DA AFFC 96D1 151D FFDC -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140409213424.ga15...@client.brlink.eu