| 1 |
On 4/10/2014 6:59 PM, Alan McKinnon wrote: |
| 2 |
>> Steve Gibson explained that the heartbeat feature was introduced in openssl to |
| 3 |
>> allow *UDP* connections to mimic the 'keepalive' function of the TCP protocol. |
| 4 |
>> |
| 5 |
>> IIRC Steve didn't explain how UDP bugs can compromise TCP connections. |
| 6 |
>> |
| 7 |
>> Anyone here really understand the underlying principles? If so, please explain! |
| 8 |
>> |
| 9 |
>> Thanks. |
| 10 |
> |
| 11 |
> UDP is not compromising TCP connections. |
| 12 |
> The software bug allows malicious connecting code to determine the |
| 13 |
> contents of memory, which is in use by sshd. How that memory got to be |
| 14 |
> there is irrelevant. |
| 15 |
> |
| 16 |
> There are many lengthy discussions on the internet on how this vuln |
| 17 |
> works. You should read them. |
| 18 |
|
| 19 |
While there may be many OpenSSL experts on this list, I believe that the BEST |
| 20 |
source of information on this bug, how it works, what it does, and so forth |
| 21 |
would be the OpenSSL mailing lists. The official Heartbleed web page has some |
| 22 |
information on it that is a good beginning for researching this bug, the the |
| 23 |
lists I mentioned above are probably the best source of information, after you |
| 24 |
understand the basics from the web page. |
| 25 |
|
| 26 |
Chris Walters |
Archives