Morning. Just saw this: http://vrt-blog.snort.org/2014/04/heartbleed-continued-openssl-client.html Which I thought might be useful to know. -- Juha Saarinen twitter: juhasaarinen
Although clients are at risk, the vast majority of browsers do NOT use
OpenSSL
None of IE, Chrome, Firefox or Safari use OpenSSL, with the possible
exception being on Android devices.
Clients such as wget and curl will likely be vulnerable, but the impact is
small - there isn't going to be much in memory that isn't already being
sent to the remote server anyway.
There's certainly some clients such as mail servers (when connecting to
another mail server) where it's an issue, but in most cases those will be
covered under the "server" category anyway.
But yeah, point remains - update everywhere, even where you're not running
TLS servers!
Scott
On Thu, Apr 10, 2014 at 3:06 PM, Juha Saarinen
Morning. Just saw this:
http://vrt-blog.snort.org/2014/04/heartbleed-continued-openssl-client.html
Which I thought might be useful to know.
-- Juha Saarinen twitter: juhasaarinen http://twitter.com/juhasaarinen
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
On 10 Apr 2014, at 18:16, Scott Howard
Although clients are at risk, the vast majority of browsers do NOT use OpenSSL
Note that a "reverse heartbleed" attack has been described, which has the potential to harvest data from clients who have connected to rogue servers (such as might be triggered by an embedded image in some spam, or by a similarly-crafted banner ad). http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed In other news, Randall Munroe has managed once again to describe a potentially-complicated problem in a six-panel cartoon that a child would have no problem understanding: http://xkcd.com/1354/ Joe
participants (3)
-
Joe Abley -
Juha Saarinen -
Scott Howard