[[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Scott Howard scott at doc.net.au
Thu Apr 17 05:41:12 UTC 2014

On Wed, Apr 16, 2014 at 9:39 PM, TGLASSEY <tglassey at earthlink.net> wrote:

> BAE did this cute poster on the attack model
> https://image-store.slidesharecdn.com/6f0027d2-
> c58c-11e3-af1f-12313d0148e5-original.jpeg?goback=%2Egde_1271127_member_
> 5862330295302262788

I'm guessing accuracy probably wasn't their primary concern, but...

The SSL handshake shown is wrong. Obviously it's over-simplified, and
that's to be expected, but to claim that the client generates and session
key and then "Encrypts it with the servers private key" and sends it over
the wire is outright wrong.

The session key in and of itself is *never* transmitted over the wire
(encrypted or not).  Exactly what is sent depends on the exact algorithm,
but presuming they are describing RSA key exchange then it's the
"pre-master secret", which is then used by both the client and the server
(along with other information they have exchanged) to both independently
generate the session key.

Semantics perhaps, but...


More information about the NANOG mailing list