[CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround

Thu Apr 10 15:43:25 UTC 2014
Markus Falb <wnefal at gmail.com>

On 09.Apr.2014, at 22:12, Peter <peter at pajamian.dhs.org> wrote:

> On 04/10/2014 03:09 AM, Markus Falb wrote:
>> 
>> I am assuming that client certificates are handed out to staff. Basically you can't
>> really control where people install client certificates and which client software is used.
>> If one is tricked to do a SSL Handshake with a malicious server, the key of the client
>> certificate is leaked. Reissue of the cert won't help because on the other day there
>> would be another malicious handshake with another bad server...
> 
> No, the server never sees a private client certificate, it only ever has
> access to the public certificate, which by its very nature of being
> public doesn't really matter if it gets leaked.  

I know.

> No vulnerability on the
> server can expose a private client certificate, only a vulnerability on
> the client can.

With malicious server I did not meant one that was affected
by heartbleed but a server which is run by bad people that want to exploit
vulnerable clients.

If it's easy to write a malicious client to read the server's ram, it's maybe easy to
write a malicious server that can read the client's ram? Does heartbleed work
in both directions?

Assume that the client uses a vulnerable openssl, and it connects to a malicious 
server, can the server read the ram of the client?

-- 
Markus