1 |
On 4/10/2014 6:59 PM, Alan McKinnon wrote: |
2 |
>> Steve Gibson explained that the heartbeat feature was introduced in openssl to |
3 |
>> allow *UDP* connections to mimic the 'keepalive' function of the TCP protocol. |
4 |
>> |
5 |
>> IIRC Steve didn't explain how UDP bugs can compromise TCP connections. |
6 |
>> |
7 |
>> Anyone here really understand the underlying principles? If so, please explain! |
8 |
>> |
9 |
>> Thanks. |
10 |
> |
11 |
> UDP is not compromising TCP connections. |
12 |
> The software bug allows malicious connecting code to determine the |
13 |
> contents of memory, which is in use by sshd. How that memory got to be |
14 |
> there is irrelevant. |
15 |
> |
16 |
> There are many lengthy discussions on the internet on how this vuln |
17 |
> works. You should read them. |
18 |
|
19 |
While there may be many OpenSSL experts on this list, I believe that the BEST |
20 |
source of information on this bug, how it works, what it does, and so forth |
21 |
would be the OpenSSL mailing lists. The official Heartbleed web page has some |
22 |
information on it that is a good beginning for researching this bug, the the |
23 |
lists I mentioned above are probably the best source of information, after you |
24 |
understand the basics from the web page. |
25 |
|
26 |
Chris Walters |