On Fri, Apr 11, 2014 at 04:43:03PM +0200, rysiek wrote:
How do you get owned by a browser bug on a server? I mean, HB is huge, because:
Own the admin or something like this (probably doesn't work for all admins, check the ACLU snowden docs for how NSA targets admins via browser bugs).
- it affects servers; - potentially allows access to private keys and passwords; - this, in case of forward-secrecy-less setups allows the bad guys to decrypt all saved traffic.
It's as bad as any root-level remote exploit on a server. And because, you
Disagree. AFAICT it doesn't affect openssh, only TLS. remote preauth openssh would be fun, though ;)
know, "everybody uses OpenSSL", and because it was unknown but in the code for 2+ years, the attack surface was (and is) huge.
Continue to believe that much more info is stolen via client bugs U buggy CMS/cgi + privilege escalation (see kernel changelogs).
Is there a significant rise of revoked certs caused by HB paranoia?
No idea, but we're considering revoking ours.
This is sound, suspect you are minority. Most people don't reinstall even after full ownage. -- cheers