Serious bug in ubiquitous OpenSSL library: "Heartbleed"

Chris Adams cma at cmadams.net
Tue Apr 8 19:15:36 UTC 2014


Once upon a time, Frank Bulk <frnkblk at iname.com> said:
> If we would front our HTTPS services with a (OpenSSL vulnerable)
> load-balancer that does the SSL work and we just use HTTP to the service,
> will that mitigate information loss that's possible with this exploit?  Or
> will the OpenSSL code on the load-balancer also store or "cache" content?

One of the biggest risks that could be exposed in this particular case
is the SSL private key.  If your front end is handling SSL with OpenSSL,
it'll have the key, and that is vulnerable.

-- 
Chris Adams <cma at cmadams.net>




More information about the NANOG mailing list