There's probably an "official" place to get ssltest.py, but I put it here after some guys on IRC asked for it yesterday: https://ccdn.tracetracker.com/ssltest.py
On 10 April 2014 08:39, Txalin <txa...@gmail.com> wrote: > > How realistic is it that an attacker would be able to glean passwords > through > > this vulnerability? > > Checked by myself yesterday in some websites with login/pass form in (sites > from my company, don't blame me). I took less than 2 minutes to get 3 > user/password combinations, so, easy as hell. > > PD: First message in FD, hi all!!! > > > 2014-04-10 0:32 GMT+02:00 Craig Holmes <cr...@rideaunetworks.com>: > > > On April 8, 2014 10:21:34 AM Matthew Musingo wrote: > > > Even if your systems were patched an attacker could have already > > attained > > > the secrets. > > > > > > Certs and other sensitive information need to be reconsidered for > > > replacement or changed > > How realistic is it that an attacker would be able to glean passwords > > through > > this vulnerability? Programatically searching through 64k memory dumps > for > > certificates seems plausible, but looking for passwords does not. A > > password is > > of no pre-determined length or format. So unless you know what strings > are > > wrapped around it (and those strings are reliably presented), isn't the > > loss > > of some types of sensitive information.... unlikely? > > > > Cheers. > > Craig > > > > > > _______________________________________________ > > Sent through the Full Disclosure mailing list > > http://nmap.org/mailman/listinfo/fulldisclosure > > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
