Full Disclosure mailing list archives
Re: heartbleed OpenSSL bug CVE-2014-0160
From: Afonso Araújo Neto <afonso.araujo () gmail com>
Date: Fri, 11 Apr 2014 23:50:25 -0300
The Heartbleed Challenge was solved, so no more mistery about the possibility of private key compromise. https://www.cloudflarechallenge.com/heartbleed The Heartbleed Challenge Can you steal the keys from this server? Has the challenge been solved yet? YES So far, two people have independently solved the Heartbleed Challenge. The first was submitted at 4:22:01PST by Fedor Indutny (@indutny). He sent at least 2.5 million requests over the span of the challenge, this was approximately 30% of all the requests we saw. The second was submitted at 5:12:19PST by Illkka Mattila of NCSC-FI using around 100 thousand requests. We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits. We rebooted the server at 3:08PST, which may have contributed to the key being available in memory, but we can't be certain. On Fri, Apr 11, 2014 at 5:14 PM, Schmidt, Michael < michael.schmidt () walgreens com> wrote:
They are talking about their servers... And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible. "modified version of NGINX that we use" -----Original Message----- From: Fulldisclosure [mailto:fulldisclosure-bounces () seclists org] On Behalf Of Manuel Tiago Pereira Sent: Friday, April 11, 2014 7:31 AM Cc: fulldisclosure () seclists org Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 Hi, CloudFlare has a very interesting article on their attempts to get a SSL private key, explaining why they find it very unlikely to be able to get it. Here it is: http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed On Fri, Apr 11, 2014 at 10:45 AM, Paul Vixie <paul () redbarn org> wrote:Juergen Christoffel wrote:On Thu, Apr 10, 2014 at 11:32:21PM -0700, Paul Vixie wrote:[...] really bruce? on a scale of doesn't-matter-at-all to worst-thing-you-could-have-previously-imagined, a read only exploit is even worse than that?With all due respect to your ego Paul, I think you might under-estimate the long term effects: private keys get stolen, this allows people to play man-in-the-middle, people (the masses) will renew their certificates but might re-use their generated private keys because the don't know exactly what they are doing, etc.thanks for whatever respect may be due, but bruce is still wrong. the cost to fix this is: 1. replace all private keys 2. replace all passwords 3. upgrade all SSL software that rates 9 out of 10, where 10 is the worst thing i could have imagined pre-heartbleed, which is remote file modification and/or remote code execution, because the costs in that case would be: 1. inclusive of [1..3] above 2. replace all operating systems 3. audit or replace all user dataAs the EFF's traces back into 2013 might tell us, some bad guys exploited this for some time now. If this is the case, we might soon arrive at the conclusion that we need to exchange all certificates which had been created in the last two years.we already have to do that, since we have to assume the worst whenever we don't have log files which somehow prove a negative.While I hope it tends to your interpretation, I fear a bit that it might be Bruces in the long run.bruce was spouting nonsense. heartbleed's costs will not be higher than previously imaginable. vixie _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/-- Manuel Tiago Pereira _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: heartbleed OpenSSL bug CVE-2014-0160, (continued)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Paul Vixie (Apr 10)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ivan .Heca (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Brandon Perry (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Marco Davids (priv) (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Juergen Christoffel (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Paul Vixie (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Michal Zalewski (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ferenc Kovacs (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Manuel Tiago Pereira (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Schmidt, Michael (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Afonso Araújo Neto (Apr 11)
- Message not available
- Re: heartbleed OpenSSL bug CVE-2014-0160 Ricardo Iramar dos Santos (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 HaCKsPy (Apr 11)
- Andrew "Weev" Auernheimer's Conviction Thrown Out g () 1337 io (Apr 11)
- Re: Andrew "Weev" Auernheimer's Conviction Thrown Out Jeffrey Paul (Apr 11)
- Re: Andrew "Weev" Auernheimer's Conviction Thrown Out Groundworks Technologies Advisories (Apr 11)
- Re: heartbleed OpenSSL bug CVE-2014-0160 Michal Zalewski (Apr 11)