If any of you guys and gals think this isn's serious, think twice. The CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours of being announced. There is a wave of security compromises all over the world and sane CAs are offering free renewals of SSL certificates.
On 04/11/2014 08:35 AM, Eli Billauer wrote:
Hi all, I suppose that the security freaks already know about this, and still, this seems important enough for an alert.In a nutshell, a bug in the mechanism that allows keepalive messages to be sent to maintain an SSL link, also allows, accidentally, a remote attacker to read a segment of up to 64 kBytes from the server's memory. It's doesn't give access to any chunk of 64 kBytes, but it's a segment which is likely to be dirty with data that belongs to the process running openSSL. So there's a chance that data related to private keys and passwords is revealed this way. See http://en.wikipedia.org/wiki/Heartbleed I haven't found any tool checking a local SSH server, say as source code in C. I suppose it's being avoided for the sake of not supplying the almost-finished attack to script kiddies. Hag Sameah, Eli
_______________________________________________ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux