Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: rarestia
This is a great graphic. I wish I could’ve simplified this much with my management team. They just gave the order to “fix it.”

I guess I'm a dunce on this -- I don't understand the graphic at all.

15 posted on 04/11/2014 7:19:15 AM PDT by CedarDave (CNN: The "Crisis News Channel" - all Flight 370 hysteria and global warming blather, all the time.)
[ Post Reply | Private Reply | To 11 | View Replies ]

To: CedarDave

A program makes a query over an SSL link. That query is answered securely by the server on the other side. On a properly-configured SSL tunnel, the responder would answer the query explicitly.

With heartbleed, a query could be issued and request the response to be a certain length. The response could be longer than the explicit data point in, say, a database, and the data that would be gained would be data the requester is not privy to.

In this case, a private key could be decoded by constantly requesting secure traffic respond with more information than what is found in the public key. Since the only data outside of the public key is the private key or a symmetric hash, they could eventually decode the entire private key, thus making a man-in-the-middle attack easy to pull off. The attack poses as a secure server, steals the data it wants, and the customer is none the wiser.


18 posted on 04/11/2014 9:14:39 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 15 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson