|
|
|
|
|
|
by robocat
2512 days ago
|
|
|
Heartbleed again - yep. Maybe there's not much discussion yet because it doesn't have some cool marketing, or perhaps everyone is scrambling to mitigate the issue for their infrastructure? There are a few reasons your company might be safe: 1. All your sites serve https directly from web servers (no https termination and passthrough as internal http traffic) 2. You use Cloudflare and you cannot reach your sites directly (article says that Cloudflare rewrites all headers so probably avoids problem) 3. Your front end is properly hardened and it prevents malformed or duplicate headers 4. Your front end does not reuse connections to your web server (maybe the quickest emergency bandage?) 5. Your front/back end do not allow chunking (or pipelining). This is going to affect so many major sites, and requires patches to critical infrastructure: pass me the popcorn so I can watch this horror show unfold. |
|
|
Regarding point 5, the front-end doesn't need to support pipelining at all, and the back-end doesn't require it either in most cases. Regarding chunk support, yeah you could patch this by disabling chunked requests on both systems, but if only one system disables it that pretty much just makes the situation worse.
I think your first point could be misread. If you have a front-end and a back-end, and they talk to eachother using HTTPS, that's exploitable. What's not exploitable is when you don't have a frontend at all, or your frontend isn't doing any kind of request parsing (ie it's a network load balancer).