20140414 Update #2
The server's private key can be obtained. This is confirmed. See here.
Update #1:
Apparently NSA KNEW about this since years ago. Surprised? Not really...
How bad is heartbleed? Very bad. It affects not only https. But all other applications, servers , routers, firewalls that use OpenSSL.
We have heard all the bad news. But, there is a little good news. Retrieving private keys may not be that easy. This post explains it all. However, getting passwords are still easy if you are lucky (well, try a few times). There are a few websites that you can use to check if a website is vulnerable, but done give you the dumps. Here is the python script that give you the dump.
Tips: run it in debug mode.
No comments:
Post a Comment