Sorry - my answer was unclear - you will see the bug in anything that uses the TLS implementation in OpenSSL. I said https because it seemed like (maybe I misunderstood) Nik was asking about http. Admittedly I was tired when I replied; in retrospect I should have waited :)
So if SPDY uses TLS with a vuln version of OpenSSL, yes the problem exists. On 4/8/14, 1:08 PM, "Jeffrey Walton" <noloa...@gmail.com> wrote: >On Tue, Apr 8, 2014 at 9:30 AM, Chris Schmidt ><chris.schm...@contrastsecurity.com> wrote: >> The bug is in the TLS implementation in OpenSSL, you will only see it >>on https >SPDY? > >>> On Apr 8, 2014, at 4:43 AM, "Nik Mitev" <n...@mitev.net> wrote: >>> >>> I used the tool Kirils linked (http://possible.lv/tools/hb/) and my >>> unpatched servers running a Tor node or an Openvpn server returned >>> correct (old) version of openssl but not vulnerable. >>> Is it the bug or the tool that seems to be limited to https I wonder? >>> >>> Patched now so can't test with this tool... >>> >>> -----Original Message----- >>> From: Fraser Scott <fraser.sc...@gmail.com> >>> To: fulldisclosure@seclists.org >>> Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 >>> Date: Tue, 8 Apr 2014 10:24:02 +0100 >>> >>> This seems to be the best test so far: >>> >>> http://s3.jspenguin.org/ssltest.py >>> >>> Other tests false-positive on patched versions from what I can see. >>> >>> >>>> On 8 April 2014 01:10, Kirils Solovjovs <kirils.solovj...@kirils.com> >>>>wrote: >>>> >>>> We are doomed. >>>> >>>> Description: http://www.openssl.org/news/vulnerabilities.html >>>> Article dedicated to the bug: http://heartbleed.com/ >>>> Tool to check if TLS heartbeat extension is supported: >>>> http://possible.lv/tools/hb/ >>>> >>>> A missing bounds check in the handling of the TLS heartbeat extension >>>> can be used to reveal up to 64kB of memory to a connected client or >>>>server. >>>> >>>> 1.0.1[ abcdef] affected. >>>> >>>> >>>> P.S. Happy Monday! _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
