Re: [ALUG] How/what does the Heartbleed bug compromise?

17 Apr 2014


      On 16/04/14 15:37, Chris Green wrote:
[SNIP]
...
So the hacker would simply 'ask' any old system (by sending an SSL
packet or sequence of packets) for the contents of its RAM - oooh!
I can see that would open up rather more vulnerabilities than just the
odd username/login.
AIUI, the rogue request is not the designated length, but short. The
responding server always replies with 64K, and it pads the response with
random chunks of RAM. These can be examined, and it is possible to
extract username and password information from it.
Therefore, it is pretty pointless rushing off to changes ones passwords
until the server has been patched, or the new password can be sniffed
out in just the same way as the old one could.
Cheers, Laurie.
-- 
---------------------------------------------------------------------
                               Laurie Brown
                           laurie@brownowl.com
---------------------------------------------------------------------

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

Re: [ALUG] How/what does the Heartbleed bug compromise?