Hi, On 04/11/2014 12:55 AM, walt wrote: > Steve Gibson explained that the heartbeat feature was introduced in openssl to > allow *UDP* connections to mimic the 'keepalive' function of the TCP protocol. > > IIRC Steve didn't explain how UDP bugs can compromise TCP connections. > > Anyone here really understand the underlying principles? If so, please > explain! yes, a TCP connection is stateful, so imho heartbeat is not necessary.
But you don't always speak "UDP" or "TCP". Imagine some sort of direct connection without any type of transportation layer. As a generic cryptographic library, OpenSSL is designed to be adaptable and universal. That broke OpenSSL's neck. We only can hope, that the heartbeat exploit was not widely used before they published that zero-day. But we can be sure, that this is not going to be the last vulnerability of this kind. Regards Ralf
