On Apr 30, 2014, at 3:23 PM, Doug Barton <do...@dougbarton.us> wrote:
> ... your whole premise seems to be invalid as there is no clear evidence at > this time (that I'm aware of, and I've been paying attention) that any actual > secret keys have been compromised by Heartbleed. It was listed as a potential > risk when the vulnerability was first announced, but several groups have done > research on that specific point and have found that it would be sufficiently > difficult, if not actually impossible; to render this particular risk as > negligible at best. There were questions early on whether grabbing secret keys was possible via Heartbleed or not. Since then, it's been proven that it is definitely possible. At least one company set up a server and invited people to try and steal the secret key via Heartbleed. It took less than a day: http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge Here's a program that automates the process. Just run it and wait: http://blog.erratasec.com/2014/04/cloudflare-challenge-writeup.html I can't speak to whether actual (meaning "not example keys put there for the purpose of stealing") secret keys have been compromised by Heartbleed, but it's definitely not impossible (or all that difficult now that someone has done the hard part - just start a script and walk away). David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
