Ø  How do I determine whether or not the web servers I run are affected?

Here's a simple way:
                echo B | openssl s_client -connect $HOST:$PORT
if you see "heartbeating" at the end, then $HOST is vulnerable.

How can you tell if private keys have been taken?  You can't, really. You can 
estimate the likelihood by looking closely at how OpenSSL_Malloc() return 
values are used and layed out.  The risk is that an allocated ssl-record buffer 
is right up against a private key being stored.


Principal Security Engineer
Akamai Technology
Cambridge, MA

Reply via email to