On 4/10/2014 6:59 PM, Alan McKinnon wrote:
Steve Gibson explained that the heartbeat feature was introduced in openssl to
allow *UDP* connections to mimic the 'keepalive' function of the TCP protocol.
IIRC Steve didn't explain how UDP bugs can compromise TCP connections.
Anyone here really understand the underlying principles? If so, please explain!
Thanks.
UDP is not compromising TCP connections.
The software bug allows malicious connecting code to determine the
contents of memory, which is in use by sshd. How that memory got to be
there is irrelevant.
There are many lengthy discussions on the internet on how this vuln
works. You should read them.
While there may be many OpenSSL experts on this list, I believe that the BEST
source of information on this bug, how it works, what it does, and so forth
would be the OpenSSL mailing lists. The official Heartbleed web page has some
information on it that is a good beginning for researching this bug, the the
lists I mentioned above are probably the best source of information, after you
understand the basics from the web page.
Chris Walters