[CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
Peter
peter at pajamian.dhs.orgWed Apr 9 20:12:38 UTC 2014
- Previous message: [CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- Next message: [CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 04/10/2014 03:09 AM, Markus Falb wrote: > > I am assuming that client certificates are handed out to staff. Basically you can't > really control where people install client certificates and which client software is used. > If one is tricked to do a SSL Handshake with a malicious server, the key of the client > certificate is leaked. Reissue of the cert won't help because on the other day there > would be another malicious handshake with another bad server... No, the server never sees a private client certificate, it only ever has access to the public certificate, which by its very nature of being public doesn't really matter if it gets leaked. No vulnerability on the server can expose a private client certificate, only a vulnerability on the client can. Peter
- Previous message: [CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- Next message: [CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list