undefined | Better HN

0 pointsrobocat6y ago0 comments

Heartbleed again - yep. Maybe there's not much discussion yet because it doesn't have some cool marketing, or perhaps everyone is scrambling to mitigate the issue for their infrastructure?

There are a few reasons your company might be safe:

1. All your sites serve https directly from web servers (no https termination and passthrough as internal http traffic)

2. You use Cloudflare and you cannot reach your sites directly (article says that Cloudflare rewrites all headers so probably avoids problem)

3. Your front end is properly hardened and it prevents malformed or duplicate headers

4. Your front end does not reuse connections to your web server (maybe the quickest emergency bandage?)

5. Your front/back end do not allow chunking (or pipelining).

This is going to affect so many major sites, and requires patches to critical infrastructure: pass me the popcorn so I can watch this horror show unfold.

0 comments

albinowax_6y ago

Hi, I'm the author of the article.

Regarding point 5, the front-end doesn't need to support pipelining at all, and the back-end doesn't require it either in most cases. Regarding chunk support, yeah you could patch this by disabling chunked requests on both systems, but if only one system disables it that pretty much just makes the situation worse.

I think your first point could be misread. If you have a front-end and a back-end, and they talk to eachother using HTTPS, that's exploitable. What's not exploitable is when you don't have a frontend at all, or your frontend isn't doing any kind of request parsing (ie it's a network load balancer).

lhuser1236y ago

> What's not exploitable is when you don't have a frontend at all, or your frontend isn't doing any kind of request parsing

I think that’s exactly what he was trying to say in the first point. Anyway thanks for stressing that, it helped me understand better what is happening.

cryptonector6y ago

Disabling chunking is often not an option.

EDIT: Basically, chunked transfer encoding is not an option for any front-end systems (reverse proxies / load balancers of any kind). Also note that because there exist apps that associate authentication state with connections (though they're not supposed to), one should generally avoid mixing traffic from different users onto one connection.

j / k navigate · click thread line to collapse