Quote:
Originally Posted by GGG
That is just a brilliant exploit. So simple and yet comprimises the entire SSL.
How long have people been using this exploit. Has it existed undetected for years with a small group using it or is this publicity its getting causing more people to know about it who will use it before it get fixed?
|
Probably both.
But while the exploit is easy, getting something that you can use isn't easy.
It returns the data that was stored next to the byte that was sent for the heartbeat. Who knows what that data is, it could be anything.
But we all know how fast computers are and how fond of repetition, so they just keep trying until they do get a string that they can use. And that is the private key which will then allow them to decrypt everything.
One of the biggest bugaboos about this is there is not logging or tracking, so everyone with this vulnerability will need to assume that they are compromised.
Which means they all need to patch, get a new set of keys, and (hopefully) advise the users to change their passwords.