Date: Tue, 8 Apr 2014 16:09:29 +0200 From: Merijn Verstraaten <merijn@inconsistent.nl> To: Mike Tancsa <mike@sentex.net> Cc: Thomas Steen Rasmussen <thomas@gibfest.dk>, freebsd-security@freebsd.org, d@delphij.net Subject: Re: http://heartbleed.com/ Message-ID: <8F4C4FB3-2934-42BC-AC75-26FE45FEDB36@inconsistent.nl> In-Reply-To: <5343FD71.6030404@sentex.net> References: <53430F72.1040307@gibfest.dk> <53431275.4080906@delphij.net> <5343FD71.6030404@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_6F15A066-82F5-4B0E-AD44-0F34B72C5E96 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Apr 8, 2014, at 15:45 , Mike Tancsa wrote: > Hi, > I am trying to understand the implications of this bug in the = context of a vulnerable client, connecting to a server that does not = have this extension. e.g. a client app linked against 1.xx thats = vulnerable talking to a server that is running something from RELENG_8 = in the base (0.9.8.x). Is the server still at risk ? Will the client = still bleed information ? >=20 > ---Mike Information can be bled from a vulnerable OpenSSL talking to a malicious = peer (i.e. malicious peer forces heartbeat and bleeds info from the = vulnerable app). So no, vulnerable clients can't bleed info from safe = servers. More importantly, since the leak only occurs when talking to = malicious peers, your clients should be safe if they only communicate = with trusted servers (since, presumably, your own servers don't = maliciously enable heartbeat and leak info from clients). Of course it's still recommended to update your clients and renew keys, = but in practice the risk should be minor for clients that only talk to = secure servers. Cheers, Merijn --Apple-Mail=_6F15A066-82F5-4B0E-AD44-0F34B72C5E96 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTRAMZAAoJECV7trmhY/MQnx0P/iuaiIztA9pOnCcLOArii0wK A2doesMjvDAXQZrcs85K98YcG6YVpamNfmsaqwAXO/625S1eF97hjQ83C3Bq/qib +UjG6MpNbb8QuJs52FgcnWiMcGsM9n2zUCEJO0Pi3yyZ+1q2NIKGt0swaz4L+MBI z40o7ce4h9GAuQWcy707M3iaz5LdPti7CXPz39PAOHLYW2oSLrznCL+oQCiVQeub nCq6ekDVr9zfz0pQ9ml9yX//hICIoHeQDj4TfbKBMNjrK+Po4k5LCouiswFFjuse kqp1PSaoBY76JB7EzmdakYTVQ6UkcmCFldlZ3V1CE+0/IOU16OfMMYe2+DC/i5EJ oCLG6nYLGZNYDcOT1Xrv6jm6mCMw/UuYXCZWghtwKlIwihWDEUqVF9RIZvxXL+j7 FVKPAHNOPjUOiVBfTGKOpWjWuqH3zqCCF34lbT2xKNZFEjh7z6MEXl4eHxoBKUd2 zA41TU0y9hZWdiaMTqhpqcUFc8U1s+PDYooT3v/83VISSAenOpOPiMT5KPZqASAJ C9TpaQbCrgoe4IxSs3SYeYD2kR7Th0ADBqfWwv/y7bYPLKC515POaRXgEWZYm2jJ aoO7jYiNVju9b0FiEQO6aOn3JsDNMiuZ1mtozZSE++0+/3tP9fzsbHdpqmncdIqd FVyzIwbXO3W8jBka9/oN =DIDh -----END PGP SIGNATURE----- --Apple-Mail=_6F15A066-82F5-4B0E-AD44-0F34B72C5E96--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8F4C4FB3-2934-42BC-AC75-26FE45FEDB36>