Graham Leggett wrote: > On 13 Apr 2014, at 2:04 PM, Michael Ströder <mich...@stroeder.com> wrote: >> No, it does *not* answer the question. >> >> The question was: Who is currently using it? > > Just to clarify any possible confusion, whether or not a piece of software > actively uses the heartbeat makes no difference to the bug, you are still > vulnerable simply by virtue of the feature being there. Make sure that if > you are using an effected version of openssl, you patch openssl.
I understood Hanno's question like this: Why the hell is everybody forced to deploy half-baken code in security sensitive systems which is only needed in 0.000001% use-case niches like DTLS? This is related to the why-gets-TLS-more-and-more-bloated-and-how-should-implementors-ever-get-this-right discussions on ietf-tls mailing list. A clarifying note especially to OpenSSL developers: Many thanks for your work and I feel your pain these days. But maybe it's the right time to think about putting two feet on the brake pedal against the feature bloat. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
