There is ample proof this morning that it can be used to acquire yahoo credentials with ease as Yahoo remains unpatched. Security researchers are having a field day, so you can be pretty sure black hats are too.
Phil Pennock <lopsa-t...@spodhuis.org> wrote: >On 2014-04-07 at 17:56 -0700, Paul Graydon wrote: >> Bear in mind that there is no way to tell if you've been compromised >> or not. If you can, it's worth erring on the side of caution. > >Indeed. The disclosure is just extra data sent back in a frame from the >server, without the connection being dropped or any abnormal >termination; the events are heart-beats which don't normally cause any >logging, because they're _not_ a "data transfer", they just keep the >connection alive, help with Path MTU Discovery and maybe help defeat >traffic analysis in some deployment scenarios. The latter two reasons >are why "heartbeats" have a payload at all. > >Further, it turns out that it's 64kB of disclosure, per heartbeat >packets, and the attacker appears to have pretty free reign over the >peer's address-space (and either side can send heart-beats, so AFAICT, >an OpenSSL client can be attacked by a malicious server). > >(This would neatly explain how the NSA got ahold of server keys for some > service providers.) > >-Phil _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
