• 9

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

Trying to understand everything while reading http://heartbleed.com/

This sentence Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will this sounds pretty serious.

Now there are many private/small company websites that don't necessarily have SSL encryption for their site. Is this kind of malicious behavior also possible without heartbleed and SSL? If so does that mean every non SSL site could be an impersonated version? Is the information obtainable with heartbleed the same information hackers can get if a site is non-ssl encrypted or less/more?

In answer to the title question, and as is so often the case with technology, it depends. A single heartbleed attack allows an attacker to return up to 64k of what ought to be the server's private memory, and read whatever's stored there.

What will be stored there? It depends. So far, secret keys, session keys, and HTTPS payload data are amongst the things attackers have found in the returned datastream. It could in theory be anything, but because of the way memory is allocated by computers, it's hugely likely to be something that the attacked service was thinking about at the time: crypto keys for all services, HTTP logins for web servers, mail messages for IMAP servers, and so on. I'm not aware that any attacker has caused a service to return anything other than service-related secrets, and as long as that's true, heartbleed exposes nothing worse than doing everything in plaintext would have done.

One important respect in which heartbleed is worse than plaintext connections is that with crypto, people had the expectation of privacy, so may have behaved in a manner that they wouldn't have done under plaintext, and therefore more might be exposable. But that's a social, not a technical problem.

  • 4
Reply Report
    • OK, this is quite a good answer, but getting "64k of what ought to be the server's private memory" is not possible on a non SSL connection right?

yes, a non SSL connection can be viewed by any router/server that the traffic flows through and as the internet is routable in theory this could be any server anywhere(it isn't but could be).

If an attacker has been monitoring capturing all traffic with a malicious router/server but the data has been SSL encrypted then the data is essentially safe as long as the attacked does not have the keys to decrypt the data as the end server will have.

If the attacker uses heartbleed and retrieves the keys from the destination server then any encrypted data can be decrypted. Excluding servers employing PFS that the attacker would not be able to decrypt past SSL sessions from.(thanks @MichelZ for point it out)

The other reason to use SSL is that the connection cannot be spoofed/changed without you noticing.

As with all things security, with enough resources all these are moot points.

  • 0
Reply Report

Trending Tags