From owner-freebsd-security@FreeBSD.ORG Tue Apr 8 14:18:08 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C545A6F8 for ; Tue, 8 Apr 2014 14:18:08 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 82FB21670 for ; Tue, 8 Apr 2014 14:18:08 +0000 (UTC) Received: from compute6.internal (compute6.nyi.mail.srv.osa [10.202.2.46]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 1A0D421053 for ; Tue, 8 Apr 2014 10:09:32 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute6.internal (MEProxy); Tue, 08 Apr 2014 10:09:32 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=inconsistent.nl; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; s=mesmtp; bh=KHFci7VxhqC95CGnRmQi6k1G 02o=; b=b8K2J1uRWIgUcLrWr/YsY+PbE3w4u3L/1iT7EoGINrTR91kAmQqyz0HZ kROJoxiHmVjjKvGOI6Y3vkR9gl7IvUE5LUBZFYyqWyqet4UfIJzvDCjoA/2hv/Hr dx8+LoCUztx5UK9vpB+06Oc6l6DDIHPWjFy6zuTff3XhLhKRRwg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to; s=smtpout; bh=KHF ci7VxhqC95CGnRmQi6k1G02o=; b=d4U41wYL5XVky5YseO5k06YAbQO6KM5ibVs gYu+28oBJie9ghUlGBLoFvXm9vvSPUY0BIAx4wu45HvGKzecRxQqKmvhDatwQdzO DN5dkwJJCsxcCilZ79tu3zQNLqtaxM8b0k1EREBvMMuRN2eu17jIiF9FBqFB1dth kCqe5G08= X-Sasl-enc: TbIz0j+rzpJEKLDPHZIzcEukUy5r+Hmlx3BsfMpl8A2e 1396966171 Received: from wcw-staff-145-18-163-88.wireless.uva.nl (unknown [145.18.163.88]) by mail.messagingengine.com (Postfix) with ESMTPA id 5C905C007B4; Tue, 8 Apr 2014 10:09:31 -0400 (EDT) Subject: Re: http://heartbleed.com/ Mime-Version: 1.0 (Apple Message framework v1283) Content-Type: multipart/signed; boundary="Apple-Mail=_6F15A066-82F5-4B0E-AD44-0F34B72C5E96"; protocol="application/pgp-signature"; micalg=pgp-sha512 From: Merijn Verstraaten In-Reply-To: <5343FD71.6030404@sentex.net> Date: Tue, 8 Apr 2014 16:09:29 +0200 Message-Id: <8F4C4FB3-2934-42BC-AC75-26FE45FEDB36@inconsistent.nl> References: <53430F72.1040307@gibfest.dk> <53431275.4080906@delphij.net> <5343FD71.6030404@sentex.net> To: Mike Tancsa X-Mailer: Apple Mail (2.1283) Cc: Thomas Steen Rasmussen , freebsd-security@freebsd.org, d@delphij.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 14:18:08 -0000 --Apple-Mail=_6F15A066-82F5-4B0E-AD44-0F34B72C5E96 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Apr 8, 2014, at 15:45 , Mike Tancsa wrote: > Hi, > I am trying to understand the implications of this bug in the = context of a vulnerable client, connecting to a server that does not = have this extension. e.g. a client app linked against 1.xx thats = vulnerable talking to a server that is running something from RELENG_8 = in the base (0.9.8.x). Is the server still at risk ? Will the client = still bleed information ? >=20 > ---Mike Information can be bled from a vulnerable OpenSSL talking to a malicious = peer (i.e. malicious peer forces heartbeat and bleeds info from the = vulnerable app). So no, vulnerable clients can't bleed info from safe = servers. More importantly, since the leak only occurs when talking to = malicious peers, your clients should be safe if they only communicate = with trusted servers (since, presumably, your own servers don't = maliciously enable heartbeat and leak info from clients). Of course it's still recommended to update your clients and renew keys, = but in practice the risk should be minor for clients that only talk to = secure servers. Cheers, Merijn --Apple-Mail=_6F15A066-82F5-4B0E-AD44-0F34B72C5E96 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTRAMZAAoJECV7trmhY/MQnx0P/iuaiIztA9pOnCcLOArii0wK A2doesMjvDAXQZrcs85K98YcG6YVpamNfmsaqwAXO/625S1eF97hjQ83C3Bq/qib +UjG6MpNbb8QuJs52FgcnWiMcGsM9n2zUCEJO0Pi3yyZ+1q2NIKGt0swaz4L+MBI z40o7ce4h9GAuQWcy707M3iaz5LdPti7CXPz39PAOHLYW2oSLrznCL+oQCiVQeub nCq6ekDVr9zfz0pQ9ml9yX//hICIoHeQDj4TfbKBMNjrK+Po4k5LCouiswFFjuse kqp1PSaoBY76JB7EzmdakYTVQ6UkcmCFldlZ3V1CE+0/IOU16OfMMYe2+DC/i5EJ oCLG6nYLGZNYDcOT1Xrv6jm6mCMw/UuYXCZWghtwKlIwihWDEUqVF9RIZvxXL+j7 FVKPAHNOPjUOiVBfTGKOpWjWuqH3zqCCF34lbT2xKNZFEjh7z6MEXl4eHxoBKUd2 zA41TU0y9hZWdiaMTqhpqcUFc8U1s+PDYooT3v/83VISSAenOpOPiMT5KPZqASAJ C9TpaQbCrgoe4IxSs3SYeYD2kR7Th0ADBqfWwv/y7bYPLKC515POaRXgEWZYm2jJ aoO7jYiNVju9b0FiEQO6aOn3JsDNMiuZ1mtozZSE++0+/3tP9fzsbHdpqmncdIqd FVyzIwbXO3W8jBka9/oN =DIDh -----END PGP SIGNATURE----- --Apple-Mail=_6F15A066-82F5-4B0E-AD44-0F34B72C5E96--