Full Disclosure mailing list archives
Re: heartbleed OpenSSL bug CVE-2014-0160
From: Pål Nilsen <paal.nilsen () gmail com>
Date: Thu, 10 Apr 2014 13:09:20 +0200
This is pretty nice: https://lastpass.com/heartbleed/ They seem to even have historic data for some sites' certificates. On 10 April 2014 11:02, Reindl Harald <h.reindl () thelounge net> wrote:
Am 10.04.2014 00:32, schrieb Craig Holmes:On April 8, 2014 10:21:34 AM Matthew Musingo wrote:Even if your systems were patched an attacker could have alreadyattainedthe secrets. Certs and other sensitive information need to be reconsidered for replacement or changedHow realistic is it that an attacker would be able to glean passwordsthroughthis vulnerability? Programatically searching through 64k memory dumpsforcertificates seems plausible, but looking for passwords does not. Apassword isof no pre-determined length or format. So unless you know what stringsarewrapped around it (and those strings are reliably presented), isn't thelossof some types of sensitive information.... unlikely?it is very realistic and already happened Anonymous Austria yesterday posted about online banking transactions with screenshots auf the data-dumps, webmail-accounts and so on over many hours and for a short tiemframe there where even folder with thousands of such dumps online _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: heartbleed OpenSSL bug CVE-2014-0160, (continued)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Javier Reoyo (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Carlos P (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 David H (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Matthew Musingo (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Craig Holmes (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Michal Zalewski (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Menso Heus (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Txalin (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Pål Nilsen (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Reindl Harald (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Pål Nilsen (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ricardo Iramar dos Santos (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Nik Mitev (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Chris Schmidt (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Jann Horn (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Tim Schütt (Apr 08)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Rob van der Putten (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Walt Williams (Apr 09)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Brandon Vincent (Student) (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Carlos P (Apr 11)