Coding Practice [was Re: Serious OpenSSL vulnerability]
Ian Malone
ibmalone at gmail.com
Sat Apr 26 10:02:41 UTC 2014
On 26 April 2014 03:38, Tim <ignored_mailbox at yahoo.com.au> wrote:
> On Wed, 2014-04-23 at 23:26 -0400, Rahul Sundaram wrote:
>> millions and millions of affected users who had to go ahead and change
>> passwords for many many things they rely on
>
> One thing I haven't seen mentioned, here nor elsewhere, was whether the
> bug could only affect you if they tried to hack the server while you
> were using it. Or if it was possible to extra useful data well after
> you had been and gone. Since it's talking about reading data beyond
> what's expected, I suspect it may be that you were vulnerable even
> sometime after your session, if the server hadn't re-used the memory for
> something else, yet.
>
The simplest 'backwards' exploit is if the private keys were stolen
then other encrypted traffic captured which had used the same keys
could then be decoded. Though IIUC 'perfect forward secrecy' should
reduce the risk of that. As you say there's also whatever data is
still in memory, that's a shorter window. I don't know how Apache
memory is structured, but I'd speculate there's the potential to leak
hashed passwords there.
--
imalone
http://ibmalone.blogspot.co.uk
More information about the users
mailing list