[LUNA] heartbleed
Allen Krell
allen.krell at gmail.com
Fri Apr 11 06:42:24 CDT 2014
I think the banks are putting their heads in the sand on this one. They
keep saying it hasn't impacted them. But it isn't about only their
websites, it is about every website where you ever bought anything. And,
it isn't about passwords, it is about past lost data.
On Thu, Apr 10, 2014 at 9:21 PM, Bob Nance <bob.nance at novationsys.com>wrote:
> The trick is to get the private key of a website, which is in RAM,
> somewhere! Once you have it, you can intercept all SSL communications
> without the web user having a clue. A perfect man-in-the-middle attack!
>
>
> On 4/10/14, 8:21 PM, "Michael W. Hall" <hallmw at att.net> wrote:
>
> >That is what they said at work Bob. Basically it did a memory dump of
> >the system. You could eventually get a snap shot of the memory.
> >
> >On Thu, 2014-04-10 at 15:26 +0000, Bob Nance wrote:
> >> ALL versions of OpenSSL had the bug.
> >>
> >> There is no way to track that the bug was triggered.
> >>
> >> It did not require you to actually access or authenticate to the system
> >>in
> >> any way.
> >>
> >> The bug, basically, did a memory dump of the running system (as I
> >> understand it).
> >>
> >> So, it must be assumed that EVERY OpenSSL implementation was being
> >> triggered every few minutes since the dawn of time.
> >>
> >> Yes, it¹s that bad.
> >>
> >>
> >
> >
> >_______________________________________________
> >LUNA mailing list
> >LUNA at lunagroup.us
> >http://lunagroup.us/mailman/listinfo/luna
>
> _______________________________________________
> LUNA mailing list
> LUNA at lunagroup.us
> http://lunagroup.us/mailman/listinfo/luna
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lunagroup.us/pipermail/luna/attachments/20140411/04e34bfe/attachment.html>
More information about the LUNA
mailing list