閱讀文章 - 看板 FB_security

發信人merijn@inconsistent.nl (Merijn Verstraaten),

看板FB_security

標題Re: http://heartbleed.com/

發信站NCTU CS FreeBSD Server (Wed Apr 9 00:09:29 2014)

轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!freebsd.org!ow

--Apple-Mail=_6F15A066-82F5-4B0E-AD44-0F34B72C5E96 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Apr 8, 2014, at 15:45 , Mike Tancsa wrote: > Hi, > I am trying to understand the implications of this bug in the = context of a vulnerable client, connecting to a server that does not = have this extension. e.g. a client app linked against 1.xx thats = vulnerable talking to a server that is running something from RELENG_8 = in the base (0.9.8.x). Is the server still at risk ? Will the client = still bleed information ? >=20 > ---Mike Information can be bled from a vulnerable OpenSSL talking to a malicious = peer (i.e. malicious peer forces heartbeat and bleeds info from the = vulnerable app). So no, vulnerable clients can't bleed info from safe = servers. More importantly, since the leak only occurs when talking to = malicious peers, your clients should be safe if they only communicate = with trusted servers (since, presumably, your own servers don't = maliciously enable heartbeat and leak info from clients). Of course it's still recommended to update your clients and renew keys, = but in practice the risk should be minor for clients that only talk to = secure servers. Cheers, Merijn --Apple-Mail=_6F15A066-82F5-4B0E-AD44-0F34B72C5E96 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTRAMZAAoJECV7trmhY/MQnx0P/iuaiIztA9pOnCcLOArii0wK A2doesMjvDAXQZrcs85K98YcG6YVpamNfmsaqwAXO/625S1eF97hjQ83C3Bq/qib +UjG6MpNbb8QuJs52FgcnWiMcGsM9n2zUCEJO0Pi3yyZ+1q2NIKGt0swaz4L+MBI z40o7ce4h9GAuQWcy707M3iaz5LdPti7CXPz39PAOHLYW2oSLrznCL+oQCiVQeub nCq6ekDVr9zfz0pQ9ml9yX//hICIoHeQDj4TfbKBMNjrK+Po4k5LCouiswFFjuse kqp1PSaoBY76JB7EzmdakYTVQ6UkcmCFldlZ3V1CE+0/IOU16OfMMYe2+DC/i5EJ oCLG6nYLGZNYDcOT1Xrv6jm6mCMw/UuYXCZWghtwKlIwihWDEUqVF9RIZvxXL+j7 FVKPAHNOPjUOiVBfTGKOpWjWuqH3zqCCF34lbT2xKNZFEjh7z6MEXl4eHxoBKUd2 zA41TU0y9hZWdiaMTqhpqcUFc8U1s+PDYooT3v/83VISSAenOpOPiMT5KPZqASAJ C9TpaQbCrgoe4IxSs3SYeYD2kR7Th0ADBqfWwv/y7bYPLKC515POaRXgEWZYm2jJ aoO7jYiNVju9b0FiEQO6aOn3JsDNMiuZ1mtozZSE++0+/3tP9fzsbHdpqmncdIqd FVyzIwbXO3W8jBka9/oN =DIDh -----END PGP SIGNATURE----- --Apple-Mail=_6F15A066-82F5-4B0E-AD44-0F34B72C5E96--