tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Does heartbleeding bug impact on Tomcat 6.x, 7.x and 8.x
Date Fri, 11 Apr 2014 22:51:26 GMT
Ognjen Blagojevic wrote:
> On 11.4.2014 10:52, André Warnier wrote:
>> 3) if he has recorded past encrypted traffic to/from your server, and 
>> saved
>> this recording, then he can at any time go back and decrypt this past
>> traffic, and pick up
>> anything interesting from there, even without having the new keys.  Such
>> a recording could contain, for example, any number of submits
>> from HTML login pages, which were theoretically protected by being made
>> on an encrypted
>> channel. That could probably also contain any communications which your
>> server did with other servers over encrypted channels.
> ... unless Forward secrecy was utilized, which is pretty much invented 
> to defeat future decryption of recorded traffic.
> Forward secrecy was easy to set up on Linux with APR.

All agreed. But I was talking about existing recordings of past communications.
Whatever is done from now on, would not help in that respect, would it ?

> When tcnative 1.1.30 is released, it will be easy to set up on Windows 
> with APR.
> If issue 55988 [1] is resolved, it would be also possible to set it up 
> on JSSE connectors with Java 8.
> -Ognjen
> [1]

Famous last words..

"- I don't think this feature justifies a big blob of ugly code, so this should wait for 
Java 8."

I gather that this was written before HeartBleed became public knowledge.

I believe that in the end, it has to be hoped that the bad guys are no better than the 
good guys, and that they did not spot this any earlier than the good guys.
They must be very pleased.
Now that they have the keys also, they can go back and decode all that stuff, and then 
they they can zip it properly and reclaim a lot of disk space.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message