[users@httpd] heartbleed and httpd configuration

[mi2 co2 <te...@hotmail.com>]

Hi - I have a question regarding heartbleed and httpd configuration data leakage.

Should someone have been exploting this bug, would it be possible that httpd configuration data, derived via httpd confg files and in apache's memory, could have been leaked out through these openssl malloc calls? Or is the memory space those malloc calls for the openssl encryption/decryption layer isolated from the memory where httpd configuration would be stored?

thanks
 		 	   		  

[users@httpd] Re: heartbleed and httpd configuration

[LuKreme <kr...@kreme.com>]

On 15 Apr 2014, at 15:27 , Christopher Schultz <ch...@christopherschultz.net> wrote:

> Steven,
> 
> On 4/12/14, 2:15 PM, Steven Siebert wrote:
>> I think it would be unlikely because the httpd configuration data
>> would be read into memory early on the heap (and in a very low
>> volatile area where that memory wouldn't often be freed up), whereas
>> the heartbeat would be much later in the heap, and thus the buffer
>> overflow would very unlikely effect it.
>> 
>> You might get a more definitive answer CCing the developer
>> distro...since this really isn't a simple "configuration and support"
>> question....but they might just ignore the non-dev question.
>> 
>> If you get the answer off list, please update =)
> 
> This is what CloudFire thought, and they dared someone to steal their
> key using Heartbleed. 9 hours later...
> 
> http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge
> 
> Then again, they were using Nginx. But the idea is that everything is
> theoretically snoopable via Heartbleed.

Right, but it also shows that it’s unlikely without someone making a concerted effort. The first successful attempt required a million queries.

-- 
'But look,' said Ponder, 'the graveyards are full of people who rushed
in bravely but unwisely.' 'Ook.' 'What did he say?' said the Bursar.  'I
think he said, "Sooner or later the graveyards are full of everybody".'


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] heartbleed and httpd configuration

[Christopher Schultz <ch...@christopherschultz.net>]

Steven,

On 4/12/14, 2:15 PM, Steven Siebert wrote:
> I think it would be unlikely because the httpd configuration data
> would be read into memory early on the heap (and in a very low
> volatile area where that memory wouldn't often be freed up), whereas
> the heartbeat would be much later in the heap, and thus the buffer
> overflow would very unlikely effect it.
> 
> You might get a more definitive answer CCing the developer
> distro...since this really isn't a simple "configuration and support"
> question....but they might just ignore the non-dev question.
> 
> If you get the answer off list, please update =)

This is what CloudFire thought, and they dared someone to steal their
key using Heartbleed. 9 hours later...

http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge

Then again, they were using Nginx. But the idea is that everything is
theoretically snoopable via Heartbleed.

-chris

Re: [users@httpd] heartbleed and httpd configuration

[Steven Siebert <sm...@gmail.com>]

I think it would be unlikely because the httpd configuration data
would be read into memory early on the heap (and in a very low
volatile area where that memory wouldn't often be freed up), whereas
the heartbeat would be much later in the heap, and thus the buffer
overflow would very unlikely effect it.

You might get a more definitive answer CCing the developer
distro...since this really isn't a simple "configuration and support"
question....but they might just ignore the non-dev question.

If you get the answer off list, please update =)

S

On Sat, Apr 12, 2014 at 1:55 PM, mi2 co2 <te...@hotmail.com> wrote:
> Hi - I have a question regarding heartbleed and httpd configuration data
> leakage.
>
> Should someone have been exploting this bug, would it be possible that httpd
> configuration data, derived via httpd confg files and in apache's memory,
> could have been leaked out through these openssl malloc calls? Or is the
> memory space those malloc calls for the openssl encryption/decryption layer
> isolated from the memory where httpd configuration would be stored?
>
> thanks

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org