If any of you guys and gals think this isn's serious, think twice. The CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours of being announced. There is a wave of security compromises all over the world and sane CAs are offering free renewals of SSL certificates.

On 04/11/2014 08:35 AM, Eli Billauer wrote:
Hi all,

I suppose that the security freaks already know about this, and still, 
this seems important enough for an alert.

In a nutshell, a bug in the mechanism that allows keepalive messages to 
be sent to maintain an SSL link, also allows, accidentally, a remote 
attacker to read a segment of up to 64 kBytes from the server's memory. 
It's doesn't give access to any chunk of 64 kBytes, but it's a segment 
which is likely to be dirty with data that belongs to the process 
running openSSL. So there's a chance that data related to private keys 
and passwords is revealed this way.

See http://en.wikipedia.org/wiki/Heartbleed

I haven't found any tool checking a local SSH server, say as source code 
in C. I suppose it's being avoided for the sake of not supplying the 
almost-finished attack to script kiddies.

Hag Sameah,


Haifux mailing list

Reply via email to