*However*, if there's a way to specify the data it sends back, that
wouldn't be a problem (I'm no legal specialist though). I have not yet
tested my theory, but sending a few extra bytes in the heartbeat
message (and of course incrementing 'length' in the 'ssl3_record_st'
struct) should do
Felix Büdenhölzer schreef op 10/04/14 22:13:
*However*, if there's a way to specify the data it sends back, that
wouldn't be a problem (I'm no legal specialist though). I have not yet
tested my theory, but sending a few extra bytes in the heartbeat
message (and of course incrementing 'length'
2014-04-09 20:51 GMT+02:00 Paul Pearce pea...@cs.berkeley.edu:
* Should authorities scan for bad OpenSSL versions and force their weight
down to 20?
I'd be interested in hearing people's thoughts on how to do such
scanning ethically (and perhaps legally). I was under the impression
the
TvdW
* Should we consider every key that was created before Tuesday
You'd need to also know the key was created by vulnerable
openssl 1.0.1 versions, didn't already disable heartbeat, etc.
That data isn't announced in the consensus. And those that
weren't vulnerable may be happy continuing with