On 2014-04-07 at 17:56 -0700, Paul Graydon wrote: > Bear in mind that there is no way to tell if you've been compromised > or not. If you can, it's worth erring on the side of caution.
Indeed. The disclosure is just extra data sent back in a frame from the server, without the connection being dropped or any abnormal termination; the events are heart-beats which don't normally cause any logging, because they're _not_ a "data transfer", they just keep the connection alive, help with Path MTU Discovery and maybe help defeat traffic analysis in some deployment scenarios. The latter two reasons are why "heartbeats" have a payload at all. Further, it turns out that it's 64kB of disclosure, per heartbeat packets, and the attacker appears to have pretty free reign over the peer's address-space (and either side can send heart-beats, so AFAICT, an OpenSSL client can be attacked by a malicious server). (This would neatly explain how the NSA got ahold of server keys for some service providers.) -Phil _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
