Full Disclosure mailing list archives
Re: heartbleed OpenSSL bug CVE-2014-0160
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 9 Apr 2014 22:01:19 -0700
How realistic is it that an attacker would be able to glean passwords through this vulnerability?
Highly.
Programatically searching through 64k memory dumps for certificates seems plausible, but looking for passwords does not. A password is of no pre-determined length or format.
HTTP POST requests have a very specific and distinctive format that makes it very easy to automatically spot web app login attempts if you happen to stumble upon one. On top of that, the nature of this vulnerability makes it relatively easy to stumble upon snippets of requests made by other users (whereas the leak of crypto keys appears to be considerably less likely under normal circumstances). /mz _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: heartbleed OpenSSL bug CVE-2014-0160, (continued)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Andrew Case (Apr 07)
- Re: heartbleed OpenSSL bug CVE-2014-0160 David H (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Joerg Mertin (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Jann Horn (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Francesc Guitart (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Javier Reoyo (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Carlos P (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Joerg Mertin (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 David H (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Matthew Musingo (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Craig Holmes (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Michal Zalewski (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Menso Heus (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Txalin (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Pål Nilsen (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Pål Nilsen (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ricardo Iramar dos Santos (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Nik Mitev (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Chris Schmidt (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Jann Horn (Apr 08)