Date: Tue, 8 Apr 2014 16:09:29 +0200 From: Merijn Verstraaten <merijn@inconsistent.nl> To: Mike Tancsa <mike@sentex.net> Cc: Thomas Steen Rasmussen <thomas@gibfest.dk>, freebsd-security@freebsd.org, d@delphij.net Subject: Re: http://heartbleed.com/ Message-ID: <8F4C4FB3-2934-42BC-AC75-26FE45FEDB36@inconsistent.nl> In-Reply-To: <5343FD71.6030404@sentex.net> References: <53430F72.1040307@gibfest.dk> <53431275.4080906@delphij.net> <5343FD71.6030404@sentex.net>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Apr 8, 2014, at 15:45 , Mike Tancsa wrote: > Hi, > I am trying to understand the implications of this bug in the context of a vulnerable client, connecting to a server that does not have this extension. e.g. a client app linked against 1.xx thats vulnerable talking to a server that is running something from RELENG_8 in the base (0.9.8.x). Is the server still at risk ? Will the client still bleed information ? > > ---Mike Information can be bled from a vulnerable OpenSSL talking to a malicious peer (i.e. malicious peer forces heartbeat and bleeds info from the vulnerable app). So no, vulnerable clients can't bleed info from safe servers. More importantly, since the leak only occurs when talking to malicious peers, your clients should be safe if they only communicate with trusted servers (since, presumably, your own servers don't maliciously enable heartbeat and leak info from clients). Of course it's still recommended to update your clients and renew keys, but in practice the risk should be minor for clients that only talk to secure servers. Cheers, Merijn [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTRAMZAAoJECV7trmhY/MQnx0P/iuaiIztA9pOnCcLOArii0wK A2doesMjvDAXQZrcs85K98YcG6YVpamNfmsaqwAXO/625S1eF97hjQ83C3Bq/qib +UjG6MpNbb8QuJs52FgcnWiMcGsM9n2zUCEJO0Pi3yyZ+1q2NIKGt0swaz4L+MBI z40o7ce4h9GAuQWcy707M3iaz5LdPti7CXPz39PAOHLYW2oSLrznCL+oQCiVQeub nCq6ekDVr9zfz0pQ9ml9yX//hICIoHeQDj4TfbKBMNjrK+Po4k5LCouiswFFjuse kqp1PSaoBY76JB7EzmdakYTVQ6UkcmCFldlZ3V1CE+0/IOU16OfMMYe2+DC/i5EJ oCLG6nYLGZNYDcOT1Xrv6jm6mCMw/UuYXCZWghtwKlIwihWDEUqVF9RIZvxXL+j7 FVKPAHNOPjUOiVBfTGKOpWjWuqH3zqCCF34lbT2xKNZFEjh7z6MEXl4eHxoBKUd2 zA41TU0y9hZWdiaMTqhpqcUFc8U1s+PDYooT3v/83VISSAenOpOPiMT5KPZqASAJ C9TpaQbCrgoe4IxSs3SYeYD2kR7Th0ADBqfWwv/y7bYPLKC515POaRXgEWZYm2jJ aoO7jYiNVju9b0FiEQO6aOn3JsDNMiuZ1mtozZSE++0+/3tP9fzsbHdpqmncdIqd FVyzIwbXO3W8jBka9/oN =DIDh -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8F4C4FB3-2934-42BC-AC75-26FE45FEDB36>