UTA members, With the Heartbleed exploit all over the news lately, it was pointed out to me that web *client* applications could be vulnerable to this in that if they visit a site operated by a malicious server, the server could exploit the bug to capture memory blobs from the client systems. There is even demonstration code out there that shows how this can work:
https://github.com/Lekensteyn/pacemaker Now, the path to exploit this on the client side might be more difficult because: 1. The attacker would have to get the client to visit the malicious site (i.e. via phishing or shared links on social media); or 2. The attacker would have to do a MiTM or modify code on an existing legitimate site; and 3. The attacker would have to repeatedly be retrieving memory blobs to try to see if anything interesting was in there. Still, the possibility is out there that the client can leak information. Much is being made in the media right now about *servers* updating their use of OpenSSL, but I've not seen much yet about clients that link to the OpenSSL libraries to make TLS/SSL connections. I guess my thought is... as we develop documents for application developers about how to best use TLS in their apps, are there lessons we can take from all of this to add into those documents? (And I haven't really thought through it all myself, yet... more just posing the question.) Dan -- Dan York Senior Content Strategist, Internet Society [email protected]<mailto:[email protected]> +1-802-735-1624 Jabber: [email protected]<mailto:[email protected]> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
