Title | Reverse Heartbleed Client Vulnerability | |
Date | Friday April 18 2014, @10:09PM | |
Author | janrinok | |
Topic | ||
from the bigger-problem-than-first-thought dept. |
From Testing for reverse Heartbleed courtesy of Schneier's blog:
"Anything that speaks TLS using OpenSSL is potentially vulnerable, but there are two main classes of client apps that are worth mentioning:
- Traditional clients are things like web browsers, apps that use HTTP APIs [snip]
- Open agents are clients that can be driven by an attacker but don't reside on an attacker's machine. If you can direct some remote application to fetch a URL on your behalf, then you could theoretically attack that application. The web is full of applications that accept URLs and do something with them; any of these have the potential to be vulnerable [snip]"
The main conclusion so far is that one has to purge all flawed versions of OpenSSL from all computers: server or client makes no real difference, firewalls make no real difference either as the bug now works both inbound and outbound.
There is also a Reverse Heartbleed Tester.
Links |
printed from SoylentNews, Reverse Heartbleed Client Vulnerability on 2024-04-18 16:05:48