On Wed, Apr 16, 2014 at 03:06:03PM +0100, mick wrote:
On Wed, 16 Apr 2014 14:49:21 +0100 Chris Green cl@isbd.net allegedly wrote:
I've just been discussing with my son exactly what is (seriously) compromised by the Heartbleed bug.
I can understand the basics, it means that something encrypted using SSL (i.e. HTTPS protocol connections) can be decrypted by someone who shouldn't be able to do so.
Sorry, but no, you have this wrong.
Ah, that would explain why I couldn't understand why it is such a serious vulnerability.
The heartbleed vulnerability is much nastier that you believe. It alllows reading of arbitrary 64K chunks of memory on any system running an application which is linked against a vulnerable version of openssl.
So it's actually an exploit of a specific connection protocol within SSL that's sort of intended for debug/test/admin sort of things?
The original "hearbeat" code was meant to allow aclient/server interaction of the form "are you still awake?". The bug allowed an attacker to send the heartbeat requests but ask for (and get) up to 64 K of contents of RAM. Continued polling would get continued chunks of memory. So if that chunk of RAM contained sensitive data (as it could) then bang you are dead.
So the hacker would simply 'ask' any old system (by sending an SSL packet or sequence of packets) for the contents of its RAM - oooh! I can see that would open up rather more vulnerabilities than just the odd username/login.