Wednesday, April 16, 2014

OpenSSL TLS Heartbleed in-security

How exactly does the OpenSSL TLS heartbeat (Heartbleed) exploit work? - Information Security Stack Exchange:

"This is not a flaw in TLS; it is a simple memory safety bug in OpenSSL.
Heartbeat allows one endpoint to go "I'm sending you some data, echo it back to me". You send both a length figure and the data itself. The length figure can be up to 64 KiB. Unfortunately, if you use the length figure to claim "I'm sending 64 KiB of data" (for example) and then only really send, say, one byte, OpenSSL would send you back your one byte -- and 64 KiB (minus one) of other data from RAM."



A Few Thoughts on Cryptographic Engineering: Attack of the week: OpenSSL Heartbleed





Heartbleed victims start to come forward- The Inquirer


No comments: