2015.12.26 01:29:31 (680545942462832640) from Daniel J. Bernstein, replying to "Andrew Ayer (@__agwa)" (680411396228558848):
The attacker can use RSA_NO_PADDING to find decryptions of small primes; post-access can decrypt anything that happens to be smooth. @__agwa
2015.12.26 01:36:36 (680547727684444160) from Daniel J. Bernstein:
Even if you limit to PKCS, has anyone analyzed how much is leaked from long fake "hashes"? Hashing should be inside security module. @__agwa
2015.12.25 05:49:01 (680248861021974530) from Daniel J. Bernstein:
Suppose an OpenSSL buffer overflow allows code exec. Target is running Titus. Can't attacker steal key using, e.g., RSA_NO_PADDING? @__agwa
2015.12.25 16:34:52 (680411396228558848) from "Andrew Ayer (@__agwa)":
@hashbreaker Attacker can use private key to heart's content, but only while he has code exec in outer process. Like storing key in HSM.