From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 12:48:03 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6CE83856 for ; Thu, 10 Apr 2014 12:48:03 +0000 (UTC) Received: from mail-qg0-x22f.google.com (mail-qg0-x22f.google.com [IPv6:2607:f8b0:400d:c04::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2D64D1DCF for ; Thu, 10 Apr 2014 12:48:03 +0000 (UTC) Received: by mail-qg0-f47.google.com with SMTP id i50so3776403qgf.20 for ; Thu, 10 Apr 2014 05:48:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=tFI2lG/VcfLAp2Qghfw0R0KnTJNjO8l/4RApMmqF0BM=; b=DWUdNqMWRu7Pf2i9c+V21Ooq9XQqBN2IMCklSUCLJyttFGhDhwBJ7XuX3kB6epXD3g MVFQ/Bdermn+oOiW0BiROl3wMhBH6w+rW0zlNhpmLbGpsLgGjjx25Xj5usaYjl8wbHV5 yv6pmY8f4p/OISIa7Yu6TCBUutRHTQnTId5gutM2Ei3z0wiEhbwV0A2szDKQB+cZ4Bqw 5P/HOhKkpTV9769fBqsQ/vHz7EyrM14kRw6HCRhZAUdbQvZJw6DXeLZwK6L+GCy8gIYJ 9x8ctTb6bR4/5u5TYOZ9LXt0qer2QoiChRXDvJ0CAWV4xuFEw3pvl8fY33vDuHArOh1d Teug== MIME-Version: 1.0 X-Received: by 10.140.105.181 with SMTP id c50mr19144673qgf.17.1397134082318; Thu, 10 Apr 2014 05:48:02 -0700 (PDT) Sender: carpeddiem@gmail.com Received: by 10.140.88.105 with HTTP; Thu, 10 Apr 2014 05:48:02 -0700 (PDT) In-Reply-To: <680DECA1-4AD9-4B40-8F82-68E8499C01BB@icloud.com> References: <53430F72.1040307@gibfest.dk> <53431275.4080906@delphij.net> <5343FD71.6030404@sentex.net> <5344020E.9080001@erdgeist.org> <680DECA1-4AD9-4B40-8F82-68E8499C01BB@icloud.com> Date: Thu, 10 Apr 2014 08:48:02 -0400 X-Google-Sender-Auth: lmEmQ5haS3ffHUbebvin6hGzv2s Message-ID: Subject: Re: http://heartbleed.com/ From: Ed Maste To: Kimmo Paasiala Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 12:48:03 -0000 On 10 April 2014 06:33, Kimmo Paasiala wrote: > > Going back to this original report of the vulnerability. Has it been esta= blished with certainty that the attacker would first need MITM capability t= o exploit the vulnerability? I'm asking this because MITM capability is not= something that just any attacker can do. Also if this is true then it can = be argued that the severity of this vulnerabilty has be greatly exaggerated= . No, the attack does not rely on MITM. The vulnerability is available to anyone who can establish a connection.