On Mon, 07 Apr 2014 18:28:02 -0500, w0rp <[email protected]> wrote:
http://heartbleed.com/
This bug has been getting around. The bug was caused by missing bounds
checking.
I'm glad to be using a language with bounds checking.
I thought the standard process (especially for such a massive security
vulnerability) for these types of issues was to have a significant span of
time between when the fix is publish and when the details of the
vulnerability are released, yet from what I can see, they've published
extensive details on the vulnerability on the exact same day that the fix
was released. I really hope this isn't actually the case. (and more so, I
hope none of the US news media who have any idea what it means get ahold
of it, because it means that almost nobody in the US will not know about
the issue, and believe me when I say, there are a LOT of people out there
who would do a lot of harm with such a thing)
From what I understand, depending on the exact configuration of the sever,
namely who's address space OpenSSL was loaded in, it would be possible to
rip database passwords from the server's memory. Servers that act merely
as a proxy to the internal servers (the configuration that most large
websites would have, which offloads the (de/en)cryption to gateway nodes)
wouldn't have as big of an issue, but it would still be an issue.
