SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    Reverse Heartbleed Client Vulnerability
Date    Friday April 18 2014, @10:09PM
Author    janrinok
Topic   
from the bigger-problem-than-first-thought dept.
https://soylentnews.org/article.pl?sid=14/04/18/1853205

Yog-Yogguth writes:

From Testing for reverse Heartbleed courtesy of Schneier's blog:

"Anything that speaks TLS using OpenSSL is potentially vulnerable, but there are two main classes of client apps that are worth mentioning:

  1. Traditional clients are things like web browsers, apps that use HTTP APIs [snip]
  2. Open agents are clients that can be driven by an attacker but don't reside on an attacker's machine. If you can direct some remote application to fetch a URL on your behalf, then you could theoretically attack that application. The web is full of applications that accept URLs and do something with them; any of these have the potential to be vulnerable [snip]"

The main conclusion so far is that one has to purge all flawed versions of OpenSSL from all computers: server or client makes no real difference, firewalls make no real difference either as the bug now works both inbound and outbound.

There is also a Reverse Heartbleed Tester.

Links
  1. "Yog-Yogguth" - http://soylentnews.org/~yog-yogguth
  2. "Testing for reverse Heartbleed" - http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed
  3. "Schneier's blog" - https://www.schneier.com/blog/archives/2014/04/reverse_heartbl.html
  4. "Reverse Heartbleed Tester" - https://reverseheartbleed.com/
© Copyright 2024 - SoylentNews, All Rights Reserved

printed from SoylentNews, Reverse Heartbleed Client Vulnerability on 2024-04-18 16:05:48