Re: [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 09.Apr.2014, at 22:12, Peter <peter@xxxxxxxxxxxxxxxx> wrote:

> On 04/10/2014 03:09 AM, Markus Falb wrote:
>> 
>> I am assuming that client certificates are handed out to staff. Basically you can't
>> really control where people install client certificates and which client software is used.
>> If one is tricked to do a SSL Handshake with a malicious server, the key of the client
>> certificate is leaked. Reissue of the cert won't help because on the other day there
>> would be another malicious handshake with another bad server...
> 
> No, the server never sees a private client certificate, it only ever has
> access to the public certificate, which by its very nature of being
> public doesn't really matter if it gets leaked.  

I know.

> No vulnerability on the
> server can expose a private client certificate, only a vulnerability on
> the client can.

With malicious server I did not meant one that was affected
by heartbleed but a server which is run by bad people that want to exploit
vulnerable clients.

If it's easy to write a malicious client to read the server's ram, it's maybe easy to
write a malicious server that can read the client's ram? Does heartbleed work
in both directions?

Assume that the client uses a vulnerable openssl, and it connects to a malicious 
server, can the server read the ram of the client?

-- 
Markus
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux