2014-04-09 20:51 GMT+02:00 Paul Pearce <pearce@cs.berkeley.edu>:

> * Should authorities scan for bad OpenSSL versions and force their weight
> down to 20?

I'd be interested in hearing people's thoughts on how to do such
scanning ethically (and perhaps legally). I was under the impression
the only way to do this right now is to actually trigger the bounds
bug and export some quantity (at least 1 byte) of memory from the
vulnerable machine.

Considering the consequences of having (a lot of) vulnerable machines in the network, wouldn't it be unethical NOT to do such kind of testing? I mean, basically every vulnerable relay endangers its users by making it possible to decrypt their communications. I strongly feel that the benefits (securing the network) outweigh the costs (exploiting the vulnerable machines and reading 1 byte of memory, but discarding them). Especially seeing that anybody would be able to perform the exploit, I don't see moral problems in such an aproach.

How this works out legally I of course have no idea.