8 Apr
2014
8 Apr
'14
3:15 p.m.
Once upon a time, Frank Bulk <frnkblk@iname.com> said:
If we would front our HTTPS services with a (OpenSSL vulnerable) load-balancer that does the SSL work and we just use HTTP to the service, will that mitigate information loss that's possible with this exploit? Or will the OpenSSL code on the load-balancer also store or "cache" content?
One of the biggest risks that could be exposed in this particular case is the SSL private key. If your front end is handling SSL with OpenSSL, it'll have the key, and that is vulnerable. -- Chris Adams <cma@cmadams.net>