3 comments

[ 3.0 ms ] story [ 15.3 ms ] thread
This is particularly of interest to those of us who e.g. have a web application with an embedded HTTP client for e.g. processing web hooks, hitting APIs, downloading image files for avatars, etc. If your application can be coerced into fetching either a) an attacker-chosen URL or b) any HTTP URL, you can be sent to a malicious server which heartbleeds you. (If the attacker can specify the URL it's trivial, if you get any HTTP URL then the attacker can use a privileged vantage point to MITM the HTTP connection then 301 redirect you to a better URL.) Can you imagine any freed memory in your appserver's process which you wouldn't want an attacker to have? Good answer!
yes, don't forget to restart your applications after updating openssl libraries. this includes clients!
We just pushed out a tester (we wanted it for ourselves and decided to make it available to others): https://reverseheartbleed.com/

Thanks to @patio11 and others for point out the 'other half' of this vulnerability and motivating us to get a quick fix out.