[users@httpd] Re: heartbleed and httpd configuration

[LuKreme <kr...@kreme.com>]

On 15 Apr 2014, at 15:27 , Christopher Schultz <ch...@christopherschultz.net> wrote:

> Steven,
> 
> On 4/12/14, 2:15 PM, Steven Siebert wrote:
>> I think it would be unlikely because the httpd configuration data
>> would be read into memory early on the heap (and in a very low
>> volatile area where that memory wouldn't often be freed up), whereas
>> the heartbeat would be much later in the heap, and thus the buffer
>> overflow would very unlikely effect it.
>> 
>> You might get a more definitive answer CCing the developer
>> distro...since this really isn't a simple "configuration and support"
>> question....but they might just ignore the non-dev question.
>> 
>> If you get the answer off list, please update =)
> 
> This is what CloudFire thought, and they dared someone to steal their
> key using Heartbleed. 9 hours later...
> 
> http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge
> 
> Then again, they were using Nginx. But the idea is that everything is
> theoretically snoopable via Heartbleed.

Right, but it also shows that it’s unlikely without someone making a concerted effort. The first successful attempt required a million queries.

-- 
'But look,' said Ponder, 'the graveyards are full of people who rushed
in bravely but unwisely.' 'Ook.' 'What did he say?' said the Bursar.  'I
think he said, "Sooner or later the graveyards are full of everybody".'


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org