Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.os.linux.security > #493

Re: heardbleed bug and openssl

From William Unruh <unruh@invalid.ca>
Newsgroups comp.os.linux.security
Subject Re: heardbleed bug and openssl
Date 2014-04-14 21:18 +0000
Organization A noiseless patient Spider
Message-ID <lihjbc$p8l$1@dont-email.me> (permalink)
References <003ee7a0-e43e-491c-935a-d8f67cbe8f15@googlegroups.com> <2bd15321-3344-4d97-ab58-784b410ea490@googlegroups.com> <dhit1bxfn.ln2@goaway.wombat.san-francisco.ca.us> <lihadn$lg1$1@dont-email.me> <pgpt1bxvg2.ln2@goaway.wombat.san-francisco.ca.us>

Show all headers | View raw


On 2014-04-14, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:
> On 2014-04-14, William Unruh <unruh@invalid.ca> wrote:
>>>
>>> https://filippo.io/Heartbleed/
>>>
>>> Or you can download source code and test your services yourself:
>>>
>>> https://github.com/FiloSottile/Heartbleed
>>>
>>> I don't currently know a way of testing libraries client-side.
>>
>> But if your browser does not listen on 443, this will not work even if
>> your ssl library is bad.
>
> Of course, which is exactly why I specifically wrote "I don't currently
> know a way of testing libraries client-side".

Those are NOT client side, those are server side. Imap server, pop
server, http server are all servers. Now if your server does not listen
on 443 then you might say that it is safe anyway, except you could have
opened some other port for https
Also your server could server other ssl reliant stuff and the test will
not find them. 

>
>> And if you have no browser, but have say imap
>> running it also will not tell you that ssl is bad. 
>
> Actually, it can test any listener.  If you point the filippo tester to
> Gmail's imaps server it passes.

Yes, if you happen to know the ports. Ie, it will test gmail's imap
server on port 443. But that is not what imap listens to. You can tell
it to test the approriate port, but most people have no idea what that
is. 
So if you point that site to gmail's imap server, but use the default
port 443, that may tell you that the site is OK but that will be pretty
useless. (actually it will probably more helpfully tell you that the
server does not respond on port 443.  But then even valid servers often
do not respond to port 443 when they are busy.)




>
> --keith
>

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

heardbleed bug and openssl Steve Wolf <stevwolf58@gmail.com> - 2014-04-14 07:48 -0700
  Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 07:55 -0700
  Re: heardbleed bug and openssl Jim Beard <jdbeard@patriot.net> - 2014-04-14 15:05 +0000
    Re: heardbleed bug and openssl Aragorn <thorongil@telenet.be.invalid> - 2014-04-14 17:58 +0200
  Re: heardbleed bug and openssl Steve Wolf <stevwolf58@gmail.com> - 2014-04-14 08:48 -0700
    Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 10:29 -0700
      Re: heardbleed bug and openssl colinmarr0@gmail.com - 2014-04-14 10:48 -0700
        Re: heardbleed bug and openssl "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2014-04-14 14:08 -0400
        Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 18:47 +0000
        Re: heardbleed bug and openssl Joe Beanfish <joebeanfish@nospam.duh> - 2014-04-15 13:36 +0000
      Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 18:46 +0000
        Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 12:28 -0700
          Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 21:18 +0000
            Re: heardbleed bug and openssl Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> - 2014-04-14 14:48 -0700
    Re: heardbleed bug and openssl Jim Beard <jdbeard@patriot.net> - 2014-04-15 01:44 +0000
  Re: heardbleed bug and openssl William Unruh <unruh@invalid.ca> - 2014-04-14 17:10 +0000
  Re: heardbleed bug and openssl "Trevor Hemsley" <Trevor.Hemsley@mytrousers.ntlworld.com> - 2014-04-15 05:38 -0500

csiph-web