On Thu, Apr 17, 2014 at 10:55:37AM +0100, Laurie Brown wrote:
On 16/04/14 15:37, Chris Green wrote:
[SNIP]
So the hacker would simply 'ask' any old system (by sending an SSL packet or sequence of packets) for the contents of its RAM - oooh! I can see that would open up rather more vulnerabilities than just the odd username/login.
AIUI, the rogue request is not the designated length, but short. The responding server always replies with 64K, and it pads the response with random chunks of RAM. These can be examined, and it is possible to extract username and password information from it.
Therefore, it is pretty pointless rushing off to changes ones passwords until the server has been patched, or the new password can be sniffed out in just the same way as the old one could.
Bad design putting username and password adjacent in memory, if they weren't there together it would be much more difficult to use the bug to extract useful information. It shouldn't be necessary for both to be there at the same time at all.
In fact why are lists of this sort of information even *present* on web facing servers? Surely the web server should authenticate against non-web facing machines where, if necessary, customer details are stored.