Ø How do I determine whether or not the web servers I run are affected?
Here's a simple way:
echo B | openssl s_client -connect $HOST:$PORT
if you see "heartbeating" at the end, then $HOST is vulnerable.
How can you tell if private keys have been taken? You can't, really. You can
estimate the likelihood by looking closely at how OpenSSL_Malloc() return
values are used and layed out. The risk is that an allocated ssl-record buffer
is right up against a private key being stored.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
