[pro] Heartbleed?

Max Rottenkolber max at mr.gy
Wed Apr 23 08:06:44 UTC 2014


> From what I understand about the bug (I have not seen the code) it sounds
like data length information
> arrived both directly and indirectly in the client message and that a
conflict between them was not
> scrutinized. 

No. The bug was that the keep alive protocol in SSL mandates the server to
echo arbitrary data back to the client. The bounds checks were wrong too,
but at that stage it really doesn't matter. The design is just plain wrong.






More information about the pro mailing list