Date: Tue, 08 Apr 2014 10:28:27 -0400 From: Mike Tancsa <mike@sentex.net> To: Merijn Verstraaten <merijn@inconsistent.nl> Cc: Thomas Steen Rasmussen <thomas@gibfest.dk>, freebsd-security@freebsd.org, d@delphij.net Subject: Re: http://heartbleed.com/ Message-ID: <5344078B.7030307@sentex.net> In-Reply-To: <8F4C4FB3-2934-42BC-AC75-26FE45FEDB36@inconsistent.nl> References: <53430F72.1040307@gibfest.dk> <53431275.4080906@delphij.net> <5343FD71.6030404@sentex.net> <8F4C4FB3-2934-42BC-AC75-26FE45FEDB36@inconsistent.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/8/2014 10:09 AM, Merijn Verstraaten wrote: > > On Apr 8, 2014, at 15:45 , Mike Tancsa wrote: >> Hi, >> I am trying to understand the implications of this bug in the context of a vulnerable client, connecting to a server that does not have this extension. e.g. a client app linked against 1.xx thats vulnerable talking to a server that is running something from RELENG_8 in the base (0.9.8.x). Is the server still at risk ? Will the client still bleed information ? >> >> ---Mike > > Information can be bled from a vulnerable OpenSSL talking to a malicious peer (i.e. malicious peer forces heartbeat and bleeds info from the vulnerable app). So no, vulnerable clients can't bleed info from safe servers. More importantly, since the leak only occurs when talking to malicious peers, your clients should be safe if they only communicate with trusted servers (since, presumably, your own servers don't maliciously enable heartbeat and leak info from clients). > > Of course it's still recommended to update your clients and renew keys, but in practice the risk should be minor for clients that only talk to secure servers. Thanks! Although we are certainly planing to update the vulnerable clients, this is not quite as dire and urgent as first described in the popular press-- at least as it applies to my client base. We also use IP addresses for the target servers in the client configs, so DNS poisoning does not apply to my scenario to trick the clients through that vector. Still, there are other ways, but this reduces the risk somewhat for my scenario at least. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5344078B.7030307>