[LUNA] heartbleed
Bob Nance
bob.nance at novationsys.com
Thu Apr 10 21:21:43 CDT 2014
The trick is to get the private key of a website, which is in RAM,
somewhere! Once you have it, you can intercept all SSL communications
without the web user having a clue. A perfect man-in-the-middle attack!
On 4/10/14, 8:21 PM, "Michael W. Hall" <hallmw at att.net> wrote:
>That is what they said at work Bob. Basically it did a memory dump of
>the system. You could eventually get a snap shot of the memory.
>
>On Thu, 2014-04-10 at 15:26 +0000, Bob Nance wrote:
>> ALL versions of OpenSSL had the bug.
>>
>> There is no way to track that the bug was triggered.
>>
>> It did not require you to actually access or authenticate to the system
>>in
>> any way.
>>
>> The bug, basically, did a memory dump of the running system (as I
>> understand it).
>>
>> So, it must be assumed that EVERY OpenSSL implementation was being
>> triggered every few minutes since the dawn of time.
>>
>> Yes, it¹s that bad.
>>
>>
>
>
>_______________________________________________
>LUNA mailing list
>LUNA at lunagroup.us
>http://lunagroup.us/mailman/listinfo/luna
More information about the LUNA
mailing list