[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
From: Martijn Grooten <martijn@xxxxxxxxxxxxxxxxxx>
Date: Sat, 12 Apr 2014 09:07:41 +0000
Content-disposition: inline
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1396810045; h=Sender:Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:In-Reply-To:MIME-Version:References:Message-ID:To:From:Date; bh=8EnhFy4eG2IJaa+5YG7sFw/UEYWezBmZvYQToel0NyA=; b=FM3b8OiwXHJ+Jp3BBJlo0X3UI+GbEJ7BKxte/iK+ExeoSIK0Ev8NVtD8/D1iYRMVTN+w9mbaCZlTxfThcFH26kyWpPkp/56MFCw4PaTSNI6ZCUhyPASTVeCZVJSNczGwRCBp1GTwc+GPc3vEuL1k5x0DZ3VDiymaK1YhU8IygGI=;
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lapsedordinary.net; s=mail; t=1397293661; bh=QYlGM4Dp7DiaFruZxuu++/xEIBQZbrnJ32r7dtRvFSI=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=ROdC9Ro+/UiZRsy74uKJDGiRsTXI731w102sYoOQaliewSX/tJIS8jyo7gutzyRMT B7lBJyKpt6P0Ie70XxzwoeK1cS3N3LsGJpuuJ+km4Ue2cuXSlngSfOB+bK2erOg+8x Ca9qZcR7C10sr6kuMOrWSFUuMrhUUl3syHS+WL0c=

On Sat, Apr 12, 2014 at 09:57:30AM +0100, Tom wrote:
> Even auditing the software would have not found this - it seems the
> RFC for it requests just what happened!

That's incorrect, as xkcd pointed out yesterday:

  http://xkcd.com/1354/

The RFC states you should send the payload and its length, after which
the server returns the payload (and perhaps its length). The problem
with the implementation was that the receiving server didn't check
whether the length was actually the length of the payload and it just
returned this many bytes of memory.

> It has, however, been confirmed you can get the the keys from a
> server. https://www.cloudflarechallenge.com/heartbleed

Yes, that was in the link I sent. Note that the people at CloudFlare
were extremely sceptical about the possibility of something like this
happening.

Martijn.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- From: bad apple

References:
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: bad apple
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: Martijn Grooten
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: bad apple
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: Martijn Grooten
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: bad apple
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: Simon Waters
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: Martijn Grooten
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: Simon Waters
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: Martijn Grooten
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: Tom

Prev by Date: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
Next by Date: Re: [LUG] subject line tag aka
Previous by thread: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
Next by thread: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
Index(es):
- Date
- Thread