2014-04-09 20:51 GMT+02:00 Paul Pearce pearce@cs.berkeley.edu:
- Should authorities scan for bad OpenSSL versions and force their weight
down to 20?
I'd be interested in hearing people's thoughts on how to do such scanning ethically (and perhaps legally). I was under the impression the only way to do this right now is to actually trigger the bounds bug and export some quantity (at least 1 byte) of memory from the vulnerable machine.
Considering the consequences of having (a lot of) vulnerable machines in the network, wouldn't it be unethical NOT to do such kind of testing? I mean, basically every vulnerable relay endangers its users by making it possible to decrypt their communications. I strongly feel that the benefits (securing the network) outweigh the costs (exploiting the vulnerable machines and reading 1 byte of memory, but discarding them). Especially seeing that anybody would be able to perform the exploit, I don't see moral problems in such an aproach.
How this works out legally I of course have no idea.