On 04/10/2014 09:49 AM, Greg Freemyer wrote:
It it just HTTPS connections we have to worry about.
I read that SSH is safe because it doesn't use it does not use the TLS protocol that is the core of the vulnerability.
For secure FTP, it uses SSH so that should be safe as well.
What about POP / IMAP / SMTP?
Do any of those have susceptibility to heartbleed?
I've read that it affects anything that uses the openSSL libs: HTTPS SMTP (submission port 587) POP (port 995) IMAP (port 993) XMPP (chat servers) SSL VPNs (!!!!) Various network appliances, including security stacks. (!!!!) etc, etc, etc. Apparently each heartbeat packet can return only 64-KB of data, but subsequent ones can return other 64-KB areas. Thus, the hacker could just walk through all RAM and suck whatever's there. What's there? Usernames, passwords, PKI keys (both public and private!!!), and depending on what you've been doing, your SSH public/private keys. Since the data exfiltration is completely silent and no connections are logged, you'd never know if you've been hacked! This one is bad indeed. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org