GoFuckYourself.com - Adult Webmaster Forum - View Single Post

bigluv · 04-14-2014, 03:45 PM

You're right suesheboy, I educated myself a little bit further and some sources claim that the heartbeat requests are two-way, so a client once it has connected to a host of its choosing would be vulnerable. The important part there is a host of its choosing - there's no ability to exploit this without the connection being initiated by the client.
This limitation is pretty seriously limiting though in my opinion.

Therefore, you would have to be visiting a website whose server has and continues to be seriously compromised (not just heartbleed vulnerable or previously heartbleed vulnerable) but actually taken over by bad actors. So all the usual caveats about not clicking random crap links sortof applies, and I'm sure chrome and antivirus and google search would have a chance to warn you of malware just like usual as soon as they are up to speed. You can pretty easily self police this as far as browsing goes by thinking twice before you use https.

Beyond that, you already did have to evaluate whats sites your apps were connecting to, and if some of them might be small enough to be compromised and stay compromised for heartbleed, so this little wrinkle just ups the ante in that vein a little more.

I think most people when they hear android 4.1.x is affected think that they are suddenly going to be hit by scanning malware completely foreign to them, but that's not how it works.

04-14-2014, 03:45 PM
bigluv Confirmed User Join Date: Jul 2008 Posts: 850	You're right suesheboy, I educated myself a little bit further and some sources claim that the heartbeat requests are two-way, so a client once it has connected to a host of its choosing would be vulnerable. The important part there is a host of its choosing - there's no ability to exploit this without the connection being initiated by the client. This limitation is pretty seriously limiting though in my opinion. Therefore, you would have to be visiting a website whose server has and continues to be seriously compromised (not just heartbleed vulnerable or previously heartbleed vulnerable) but actually taken over by bad actors. So all the usual caveats about not clicking random crap links sortof applies, and I'm sure chrome and antivirus and google search would have a chance to warn you of malware just like usual as soon as they are up to speed. You can pretty easily self police this as far as browsing goes by thinking twice before you use https. Beyond that, you already did have to evaluate whats sites your apps were connecting to, and if some of them might be small enough to be compromised and stay compromised for heartbleed, so this little wrinkle just ups the ante in that vein a little more. I think most people when they hear android 4.1.x is affected think that they are suddenly going to be hit by scanning malware completely foreign to them, but that's not how it works.