On 17 April 2014 10:55, Laurie Brown laurie@brownowl.com wrote:
AIUI, the rogue request is not the designated length, but short.
I believe the request basically says "respond with the 64k string 'xx'", where 'xx' clearly isn't 64k in length and the server responds with 64k of data starting with the 'xx' but followed by whatever else it had in memory after those characters.
As Mick said, the XKCD link is very good, so I'll repeat it: https://xkcd.com/1354/ For anyone familiar with XKCD it's worth noting that this isn't just a funny comment on the situation, but actually a very good explanation of what the problem is.
Therefore, it is pretty pointless rushing off to changes ones passwords until the server has been patched, or the new password can be sniffed out in just the same way as the old one could.
Indeed, although it also highlights why having the same password for multiple sites is a very bad idea.
You can probably expect your bank to fix a vulnerability like this pretty quickly, but that forum you signed up to once upon a time to access something that you've never been back to since, but where you used the same password? That's the main lesson here, I think (although hopefully for "lesson" read "reminder").