Date: Thu, 10 Apr 2014 13:33:47 +0300 From: Kimmo Paasiala <kpaasial@icloud.com> To: freebsd-security@freebsd.org Cc: Dirk Engling <erdgeist@erdgeist.org> Subject: Re: http://heartbleed.com/ Message-ID: <680DECA1-4AD9-4B40-8F82-68E8499C01BB@icloud.com> In-Reply-To: <5344020E.9080001@erdgeist.org> References: <53430F72.1040307@gibfest.dk> <53431275.4080906@delphij.net> <5343FD71.6030404@sentex.net> <5344020E.9080001@erdgeist.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_2F1E293B-BE63-41EE-BDEF-705BB82C8C8D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 8.4.2014, at 17.05, Dirk Engling <erdgeist@erdgeist.org> wrote: > On 08.04.14 15:45, Mike Tancsa wrote: >=20 >> I am trying to understand the implications of this bug in the >> context of a vulnerable client, connecting to a server that does not >> have this extension. e.g. a client app linked against 1.xx thats >> vulnerable talking to a server that is running something from = RELENG_8 >> in the base (0.9.8.x). Is the server still at risk ? Will the client >> still bleed information ? >=20 > If the adversary is in control of the network and can MITM the > connection, then yes. The client leaks random chunks of up to 64k > memory, and that is for each heartbeat request the server sends. >=20 > erdgeist >=20 Going back to this original report of the vulnerability. Has it been = established with certainty that the attacker would first need MITM = capability to exploit the vulnerability? I=92m asking this because MITM = capability is not something that just any attacker can do. Also if this = is true then it can be argued that the severity of this vulnerabilty has = be greatly exaggerated. -Kimmo --Apple-Mail=_2F1E293B-BE63-41EE-BDEF-705BB82C8C8D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJTRnOPAAoJEFvLZC0FWRVpFY0H/3Sek6VeBBJJEoUMyAtCT7i1 XEFOAqW69Qs5n4Frp2psjmjwSxUxJphWgE+/izzYDOfxV76yqDSvNJDAxdZG57gR bjt1ASSCFGuLxIuZ9h8F3PlausBn83M30ycv67g5h/mwKw3lSVmi5FRbELLk2QXu zDjBTKKmzjD5mIp2IjSTlK8WaT5GWPIZh1RMNYGHN161WL097wjfbORMXXfAT3Ys 60dXFxUdv6Fs345z9zy+g4A58/K4FCAfbfGZajdPIQecwPzzBC9um2H1oKPHSDgE 9M5Gnn39i5loRRSGAbpfwRCMS98RdLb45sQQtiSAekFDoFiOBE/CONKY85cMVA0= =cZAw -----END PGP SIGNATURE----- --Apple-Mail=_2F1E293B-BE63-41EE-BDEF-705BB82C8C8D--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?680DECA1-4AD9-4B40-8F82-68E8499C01BB>