Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is this really an accurate challenge? I have wondered if the true exposure risk from Heartbleed may be over-stated* due to memory separation between processes, etc. This however is probably a clean server with a fairly static install. There isn't a risk of things like session leakage which I think is the true risk of Heartbleed. Nor would there be the memory fragmentation that would occur in a production system. While intriguing I'm not sure how much it proves?

(* this is still good though as any risk is unacceptable and shouting Fire makes everyone move... and they need to on this issue)



It may be the case that Heartbleed did not practically expose private keys. The risk was not overstated in general, though; a virtually undetectable method that has been proved to do things like leak plaintext username/password credentials is still catastrophic.


There's no memory separation between a web server that incorporates OpenSSL and... itself.


It might be more accurate if this server ran some services, though, like a real server would.


Anything OpenSSL decrypts surely has to hit the OpenSSL process's memory, right? That would include requests, which could easily contain sessions, passwords, etc.


Much kudos to the guy who cracked it later in the day. I'm glad this proved a useful test. I gladly stand corrected.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: