[CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
Markus Falb
wnefal at gmail.com
Thu Apr 10 15:43:25 UTC 2014
On 09.Apr.2014, at 22:12, Peter <peter at pajamian.dhs.org> wrote:
> On 04/10/2014 03:09 AM, Markus Falb wrote:
>>
>> I am assuming that client certificates are handed out to staff. Basically you can't
>> really control where people install client certificates and which client software is used.
>> If one is tricked to do a SSL Handshake with a malicious server, the key of the client
>> certificate is leaked. Reissue of the cert won't help because on the other day there
>> would be another malicious handshake with another bad server...
>
> No, the server never sees a private client certificate, it only ever has
> access to the public certificate, which by its very nature of being
> public doesn't really matter if it gets leaked.
I know.
> No vulnerability on the
> server can expose a private client certificate, only a vulnerability on
> the client can.
With malicious server I did not meant one that was affected
by heartbleed but a server which is run by bad people that want to exploit
vulnerable clients.
If it's easy to write a malicious client to read the server's ram, it's maybe easy to
write a malicious server that can read the client's ram? Does heartbleed work
in both directions?
Assume that the client uses a vulnerable openssl, and it connects to a malicious
server, can the server read the ram of the client?
--
Markus
More information about the CentOS
mailing list