Re: CVE-2014-0160 is putting bitcoin sites at risk

Quote from: nibor on April 08, 2014, 09:39:03 PM

That has got to be bug of the century... if not ever.

Implies that for 2 years since code was released anyone running a server using openssl 1.0.1 (upto 1.0.1f inclusive) an attacker could silently (i.e. no logging or trail) download the ssl private key off the server. And then if they could intercept any ssl traffic between server and client they could then decrypt that data (again silently leaving no trace). And could have been doing that for 2 years.

Or have I got the wrong end of the stick here?

This implies that every users need to change every password on every site that was using 1.0.1?

Refs:
https://heartbleed.com/
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3;hp=0d7717fc9c83dafab8153cbd5e2180e6e04cc802
http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit

You are correct, and there are many other ways to exploit the server memory. For example, it has been shown (and I tested it on my own servers) that you can dump the HTTP headers (no trace left!) and extract session IDs. You can then trivially use that session id to masquerade as a logged in user. It's REALLY easy.