The Heartbleed Bug
-
Espen Harlinn wrote:
There shouldn't be any passwords to read from the memory on the server - only the cryptographic digest, which, on it's own should be worthless ...
Hashed passwords (even salted) can be cracked much faster than you think in may cases because people are bad at generating randomness. As such by going through likely passwords it is possible to crack thousands of passwords in a few hours.
J. Adam Armstrong wrote:
As such by going through likely passwords it is possible to crack thousands of passwords in a few hours.
That's certainly true.
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
Espen Harlinn wrote:
There shouldn't be any passwords to read from the memory on the server
What happens when someone logs in? The password is sent to the server (over SSL) and so the server may have have it in a variable in memory for a period of time. How long the variable lives depends on the platform and scope (Allocated on the stack? Allocated on a memory managed heap? Static buffer constantly being overwritten?)
cheers Chris Maunder
You mention several things that have been used to crack security in the past. As usual xkcd got it right: Heartbleed Explanation[^] What makes heartbleed unique is not the bug in itself, it's the number of systems that are affected. We've seen bugs that allow server memory to be read before, and it's highly likely that we will see them again. Now, lets head over to the wonderful world of automation where systems are, as a rule of thumb, never patched. Many Devices Will Never Be Patched to Fix Heartbleed Bug[^]
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra