Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: CedarDave

A program makes a query over an SSL link. That query is answered securely by the server on the other side. On a properly-configured SSL tunnel, the responder would answer the query explicitly.

With heartbleed, a query could be issued and request the response to be a certain length. The response could be longer than the explicit data point in, say, a database, and the data that would be gained would be data the requester is not privy to.

In this case, a private key could be decoded by constantly requesting secure traffic respond with more information than what is found in the public key. Since the only data outside of the public key is the private key or a symmetric hash, they could eventually decode the entire private key, thus making a man-in-the-middle attack easy to pull off. The attack poses as a secure server, steals the data it wants, and the customer is none the wiser.


18 posted on 04/11/2014 9:14:39 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 15 | View Replies ]

To: rarestia

I do hope our host will add to this thread. Not a good
thing to hear with an onging freepathon fundraiser in progress.


19 posted on 04/19/2014 9:55:54 PM PDT by theneanderthal
[ Post Reply | Private Reply | To 18 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson