Hacker News new | past | comments | ask | show | jobs | submit login

A malicious server can also read the memory of a client using the same heartbleed vulnerability.

So the -NSA-mafia can go get the private key from a vulnerable server, MitM its clients, and attack those clients too.

Nasty stuff. And in the last day, even those agencies that didn't know about the vulnerability beforehand have likely spidered the entire web scraping everyone's keys just-in-case.




Anyone seen any evidence of attempts to do this, or set up honeypots?


In fact, an attacker doesn't even need to steal the private key.. Heartbeats can be sent before certificate authentication takes place.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: