0

Having, on my Gentoo System, called

equery d -D openssl | grep -i thunderbird

I found that there are numerous dependencies between the eMail program thunderbird and openSSL.

I am using the thunderbird plugin openPGP to encrypt and sign some of the more important stuff I send per eMail. My keyset was generated using openPGP and the private key never left my computer with my knowledge.

Now the question: Assuming my eMail provider was using one of the exploitable versions of openssl, and knowing I did on my own Linux system just until yesterday, could an attacker get hold of my private keys from my own computer while I sent away a signed eMail?

Markus-Hermann
  • 789
  • 11
  • 24

1 Answers1

1

Does the Heartbleed bug require me to replace my openPGP keysets?

Probably not. Heartbleed was not a Remote Code Execution (RCE), so only secrets in OpenSSL dependent executables were subject to recovery and need to regenerate their key material (like private keys, passwords, tokens or session cookies).

If an OpenSSL dependent executable loaded your openPGP keys, then yes.

jww
  • 97,681
  • 90
  • 411
  • 885
  • Yep, that is the heart of the question so to speak! Does or does not the imap-communication involve openssl at some point? If so 64kB of random memory might have been read (by anyone who cares to do so). – Markus-Hermann Apr 22 '14 at 08:33