From owner-freebsd-security@FreeBSD.ORG  Thu Apr 10 15:25:58 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 28950F95;
 Thu, 10 Apr 2014 15:25:58 +0000 (UTC)
Received: from st11p09mm-asmtp002.mac.com (st11p09mm-asmtp002.mac.com
 [17.164.24.97]) by mx1.freebsd.org (Postfix) with ESMTP id E46601040;
 Thu, 10 Apr 2014 15:25:57 +0000 (UTC)
MIME-version: 1.0
Received: from [10.71.14.11]
 (dsl-hkibrasgw1-58c380-33.dhcp.inet.fi [88.195.128.33])
 by st11p09mm-asmtp002.mac.com
 (Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug
 22 2013)) with ESMTPSA id <0N3T00G1ZMV4TJ40@st11p09mm-asmtp002.mac.com>; Thu,
 10 Apr 2014 15:25:54 +0000 (GMT)
Content-type: multipart/signed;
 boundary="Apple-Mail=_D379FA02-4174-493A-AB71-20F9F6F853EE";
 protocol="application/pgp-signature"; micalg=pgp-sha1
Subject: Re: http://heartbleed.com/
From: Kimmo Paasiala <kpaasial@icloud.com>
In-reply-to: <CAPyFy2AZLpG+54T6oY=02vPmAzOBpfO0vfgagF8GPcGYuzD0_A@mail.gmail.com>
Date: Thu, 10 Apr 2014 18:24:24 +0300
Message-id: <B0B761F5-510F-46AD-B7C0-F4B32EB0E745@icloud.com>
References: <53430F72.1040307@gibfest.dk> <53431275.4080906@delphij.net>
 <5343FD71.6030404@sentex.net> <5344020E.9080001@erdgeist.org>
 <680DECA1-4AD9-4B40-8F82-68E8499C01BB@icloud.com>
 <CAPyFy2AZLpG+54T6oY=02vPmAzOBpfO0vfgagF8GPcGYuzD0_A@mail.gmail.com>
To: Ed Maste <emaste@freebsd.org>
X-Mailer: Apple Mail (2.1874)
X-MANTSH: 1TEIXWV4bG1oaGkdHB0lGUkdDRl5PWBoaHxEKTEMXGx0EGx0YBBIZBBsdEBseGh8
 aEQpYTRdLEQptfhcaEQpMWRcbGhsbEQpZSRcRClleF2hjeREKQ04XSxsYGmJCHx1SGGZZGXhzB
 xlrGx8YH1lpEQpYXBcZBBoEHQdNSx0SSEkcTAUbHQQbHRgEEhkEGx0QGx4aHxsRCl5ZF2FMbFN
 OEQpMRhdsa2sRCkNaFxISBBsTHwQbGBIEGRkRCkRYFxgRCkRJFxsRCkJFF2Z9fxNNb1xgZRoSE
 QpCThdrRRpSUB5DXFlcaBEKQkwXbk0deVljZGh+GEYRCkJsF2FAfFNsSx8YZHt+EQpCQBdkbn5
 wTGdyaxxkbxEKcGgXY0tSfHMbeEliQlwRCnBoF21EUmVHT2hIHntmEQpwaBdtekVuaVNzGwV6a
 REKcGgXZgEBXGcBR3pzGmIRCnBoF20faUJEGX9fTXwTEQpwfxdtfX5sG1NCZV5PfBEKcGsXYxt
 MaX4SeBpLEkURCnBLF2JpchNYXVxnbVNzEQpwaxd6Q1tERHJvSUZNXREKcGwXbWduBR9hTmEcW
 xsRCnBMF2loUwEZYW1AeB5OEQ==
X-CLX-Spam: false
X-CLX-Score: 1011
X-Proofpoint-Virus-Version: vendor=fsecure
 engine=2.50.10432:5.11.96,1.0.14,0.0.0000
 definitions=2014-04-10_04:2014-04-10,2014-04-10,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 suspectscore=4 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0
 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1404100242
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 15:25:58 -0000


--Apple-Mail=_D379FA02-4174-493A-AB71-20F9F6F853EE
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252


On 10.4.2014, at 15.48, Ed Maste <emaste@freebsd.org> wrote:

> On 10 April 2014 06:33, Kimmo Paasiala <kpaasial@icloud.com> wrote:
>>=20
>> Going back to this original report of the vulnerability. Has it been =
established with certainty that the attacker would first need MITM =
capability to exploit the vulnerability? I'm asking this because MITM =
capability is not something that just any attacker can do. Also if this =
is true then it can be argued that the severity of this vulnerabilty has =
be greatly exaggerated.
>=20
> No, the attack does not rely on MITM.  The vulnerability is available
> to anyone who can establish a connection.

Yes of course when you now read the description of the problem at =
http://heartbleed.com/ it=92s completely clear that the attack can be =
done by anyone. Thanks.

-Kimmo


--Apple-Mail=_D379FA02-4174-493A-AB71-20F9F6F853EE
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJTRresAAoJEFvLZC0FWRVpjS8H/jbjQV0Q5uC86+1rX7+dOE2z
Lc66xiuyqeMuBec6j82p/Yz+xIkWY+M8UhWewMD0i7Fnjy1J64S50BWBAMkeb0CK
tO4EjWKo/wvAk8QG7zYYbn8gJY0gQXH6LRJjJgCJFcdC4OeHV8zam6ttYT7GNdGg
Y6IjGqaT8r6HVa0d/JGCBVTdx/DsmgOz8bB90tA3IdIaQP5e0FKQrJzknzCo4LVe
G+xmZV50I7mrBRsL4SFfh5unZ4e5lDWzcJmuSP3kl8+WpPjv+bpDE0His4B7h1yo
5wNN+XCEktG7cbds3q+883Aatl7d9/odgs8UWcpQGyemPnVzNnbFH0zrS9Cb3Cw=
=HfEv
-----END PGP SIGNATURE-----

--Apple-Mail=_D379FA02-4174-493A-AB71-20F9F6F853EE--