http://heartbleed.com/
Merijn Verstraaten
merijn at inconsistent.nl
Tue Apr 8 14:18:08 UTC 2014
On Apr 8, 2014, at 15:45 , Mike Tancsa wrote:
> Hi,
> I am trying to understand the implications of this bug in the context of a vulnerable client, connecting to a server that does not have this extension. e.g. a client app linked against 1.xx thats vulnerable talking to a server that is running something from RELENG_8 in the base (0.9.8.x). Is the server still at risk ? Will the client still bleed information ?
>
> ---Mike
Information can be bled from a vulnerable OpenSSL talking to a malicious peer (i.e. malicious peer forces heartbeat and bleeds info from the vulnerable app). So no, vulnerable clients can't bleed info from safe servers. More importantly, since the leak only occurs when talking to malicious peers, your clients should be safe if they only communicate with trusted servers (since, presumably, your own servers don't maliciously enable heartbeat and leak info from clients).
Of course it's still recommended to update your clients and renew keys, but in practice the risk should be minor for clients that only talk to secure servers.
Cheers,
Merijn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140408/140f87eb/attachment.sig>
More information about the freebsd-security
mailing list