[pro] Heartbleed?
Pascal J. Bourguignon
pjb at informatimago.com
Thu Apr 24 16:13:35 UTC 2014
Max Rottenkolber <max at mr.gy> writes:
> On Wed, 23 Apr 2014 20:39:48 +0200, Pascal J. Bourguignon wrote:
>> When a HeartbeatRequest message is received and sending a
>> HeartbeatResponse is not prohibited as described elsewhere in this
>> document, the receiver MUST send a corresponding HeartbeatResponse
>> message carrying AN EXACT COPY OF THE PAYLOAD of the received
>> HeartbeatRequest.
>
> I didn't mean to dispute that CL is a safer language. My point is that, as
> an implementer, the above paragraph in an SSL protocol extension should
> raise red lights.
>
> What is the function of the described behavior? Why would I want to echo
> back data in context of a keep alive?
> A: None. You don't want to do that.
You want to make sure that the answer you get corresponds to the request
you sent.
You could use a counter, but it would be too easy to simulate it on the
other end.
If you send random data, and compare the returned data, you make sure
that there's something alive on the other end that can receive your
message and respond to them, not a dead process sending fixed or
previsible packets.
--
__Pascal Bourguignon__
http://www.informatimago.com/
"Le mercure monte ? C'est le moment d'acheter !"
More information about the pro
mailing list