[langsec-discuss] cross-posting a bit on Heartbleed

Daira Hopwood daira at jacaranda.org
Sat Apr 12 17:44:40 UTC 2014


On 11/04/14 16:40, William Sargent wrote:
>> Actually the protocol *did* specify that:
>>
>> https://tools.ietf.org/html/rfc6520#section-4
>>
>> #   If the payload_length of a received HeartbeatMessage is too large,
>> #   the received HeartbeatMessage MUST be discarded silently.
> 
> There is a formally verified version of TLS, miTLS.  I’d be curious to see how it measures
> up against the attack tools.
> 
> http://www.mitls.org/wsgi

miTLS does not support the heartbeat extension, and so is not vulnerable.
(The only extension it supports is renegotiation_info.)

-- 
Daira Hopwood ⚥

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20140412/03b038d7/attachment.pgp>


More information about the langsec-discuss mailing list