Heartbleed Bug: Serious Hole in Internet Security

Page 5 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Markbnj

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
spidey07 said:
Not only do you have to patch, you have to re-issue new certificates. About it being unknown is wishful thinking because again there is no way at all to tell if somebody was doing it.

I can assure you there are very smart hackers that are constantly trying to hack SSL. Getting the private keys to the cert is the gold mine jackpot. If somebody looked at the source code for it I'm sure they could easily reverse engineer it and notice the memory problem. Being open source I would assume the source code is readily available?
Click to expand...

The cert thing is a definite pain in the ass, but it mostly hits orgs with the resources to deal with it. And as has been said elsewhere, maybe the cost will be a kick in the tail that encourages them to get more involved and put some dollars where their interests lie.

Anyway, I have nothing to go on other than my instinct, which still leans towards "It'll blow over relatively quickly."
 
dennilfloss

dennilfloss

Past Lifer 1957-2014 In Memoriam
Oct 21, 1999
30,509
12
0
dennilfloss.blogspot.com
IndyColtsFan

IndyColtsFan

Lifer
Sep 22, 2007
33,655
688
126
Virgorising said:
Exactly! I AM GOB SMACKED.
Click to expand...

I'm not sure why you think this is a huge revelation. You do know most software has bugs, right? And you do know that bugs generally aren't intentional, right? In this case, the guy made a simple mistake and the reviewer didn't catch it either.
 
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
IndyColtsFan said:
I'm not sure why you think this is a huge revelation. You do know most software has bugs, right? And you do know that bugs generally aren't intentional, right? In this case, the guy made a simple mistake and the reviewer didn't catch it either.
Click to expand...


I expressed my reactions actually. Nothing to apologize for. I am not as defensively chilled out and cynical and sanguine as you are, nor would I ever wanna be.

Especially, given most people assumed some malfeasance and purposeful chinanery were at play here.
 
IndyColtsFan

IndyColtsFan

Lifer
Sep 22, 2007
33,655
688
126
Virgorising said:
I expressed my reactions actually. Nothing to apologize for. I am not as defensively chilled out and cynical and sanguine as you are, nor would I ever wanna be.
Click to expand...

I'm not asking you to apologize. I'm asking why you think that it is such a stunning revelation that someone made a mistake in the code. Coding mistakes happen all the time but unfortunately, this particular mistake has really bad consequences compared to most.

Especially, given most people assumed some malfeasance and purposeful chinanery were at play here.
Click to expand...

They can remove their tinfoil hats now. It's safe.
 
OutHouse

OutHouse

Lifer
Jun 5, 2000
36,410
616
126
lol so he made a minor change to fix a bug but made a bug and was missed by reviewing and testing resulting in all hell breaking loose.

i think he used to work at my company hahahah
 
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
IndyColtsFan said:
I'm not asking you to apologize. I'm asking why you think that it is such a stunning revelation that someone made a mistake in the code. Coding mistakes happen all the time but unfortunately, this particular mistake has really bad consequences compared to most.

They can remove their tinfoil hats now. It's safe.
Click to expand...

Bottom line, this event, its magnitude and impact both: unique in cyber history. End of story.
 
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
Crusty said:
I still don't get why you're so surprised.

Programmers are human, and humans make mistakes...
Click to expand...

Let me try again, never before to my knowledge has some MISTAKE of this sort, impacted as many in the world as THIS ONE.

No professional gets it right all the time. This is about worldwide IMPACT. In that, this event, so far....is UNIQUE.
 
Last edited:
Lean L

Lean L

Diamond Member
Apr 30, 2009
3,685
0
0
Virgorising said:
K....so, private keys are not at risk?

At Least they can't use the thing to compromise them?
Click to expand...

That is one of the best articles posted about the issue in this thread and answers your question perfectly. Just read the thing.

In short, it's possible but rare (Their case study was NGINX) since the private key would not be as likely to stay in memory after SSL is initialized. It's rare to find that piece of information to begin with due to the random data that is retrieved anyways.

But seriously... READ that article.
 
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
Lean L said:
That is one of the best articles posted about the issue in this thread and answers your question perfectly. Just read the thing.

In short, it's possible but rare (Their case study was NGINX) since the private key would not be as likely to stay in memory after SSL is initialized. It's rare to find that piece of information to begin with due to the random data that is retrieved anyways.

But seriously... READ that article.
Click to expand...

I did read it. Truth is, I am so creeped out, I could not totally believe it.
 
CZroe

CZroe

Lifer
Jun 24, 2001
24,195
857
126
Virgorising said:
K....so, private keys are not at risk?

At Least they can't use the thing to compromise them?
Click to expand...

Sure they are. They are extremely difficult to access after the first request due to the contents of the memory being unpredictable, but it's possible. Heck, there are DoS attacks/exploits that could be used to force a reboot for a first request. Someone try sending that honeypot the ol', Win95 Ping of Death. ;)
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom