nanog mailing list archives

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

From: Scott Howard <scott () doc net au>
Date: Wed, 16 Apr 2014 22:41:12 -0700

On Wed, Apr 16, 2014 at 9:39 PM, TGLASSEY <tglassey () earthlink net> wrote:

BAE did this cute poster on the attack model

https://image-store.slidesharecdn.com/6f0027d2-
c58c-11e3-af1f-12313d0148e5-original.jpeg?goback=%2Egde_1271127_member_
5862330295302262788



I'm guessing accuracy probably wasn't their primary concern, but...

The SSL handshake shown is wrong. Obviously it's over-simplified, and
that's to be expected, but to claim that the client generates and session
key and then "Encrypts it with the servers private key" and sends it over
the wire is outright wrong.

The session key in and of itself is *never* transmitted over the wire
(encrypted or not).  Exactly what is sent depends on the exact algorithm,
but presuming they are describing RSA key exchange then it's the
"pre-master secret", which is then used by both the client and the server
(along with other information they have exchanged) to both independently
generate the session key.

Semantics perhaps, but...

  Scott

Current thread:

Re: [[Infowarrior] - NSA blah blah blah blah...., (continued)
- - - Re: [[Infowarrior] - NSA blah blah blah blah.... bmanning (Apr 14)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Matthew Petach (Apr 14)
    - RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Matthew Black (Apr 15)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Glen Wiley (Apr 15)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Scott Howard (Apr 15)
    - RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Barry Shein (Apr 15)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Jason Iannone (Apr 16)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Glen Turner (Apr 16)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Barry Shein (Apr 16)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] TGLASSEY (Apr 16)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Scott Howard (Apr 16)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Barry Shein (Apr 16)
    - Message not available
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Larry Sheldon (Apr 16)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Scott Howard (Apr 16)
  - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Peter Kristolaitis (Apr 11)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Warren Bailey (Apr 11)
    - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] William Herrin (Apr 11)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Scott Weeks (Apr 11)
- Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Larry Sheldon (Apr 14)
  - Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Scott Howard (Apr 15)