Re: Heartbleed Vulnerability - We Need to be Careful

Quote from: Tzupy on April 13, 2014, 01:11:55 PM

Article about an update to the heartbleed vulnerability:
http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/

new information coming to light, thanks. and thanks again for showing a link with actual viable information, rather then speculation. now the next point, the article mentions that by stealing keys, exploiters can then set up dummy websites to phish the genuine website, so that users log in thinking its genuine.

my question is:
if heartbleed can be used not only to get the private key (certificate), but to also get users unencrypted log-in data... why need to then make a phishing site to get users to log into exploiters cloned websites.. to basically gather peoples usernames and passwords.

my speculative theory is that the heartbleed can only gather the sites private key(certificate) but cannot decrypt user data. thus needing to make a phishing site to get user data. the only user data they can decrypt is their own. which is why fillipio can only see "yellow submarine" in cleartext and the rest is jibberish. apart from the websites own certificate soon after a reboot.