Friday, April 11, 2014

Heartbleed - A picture that tell a thousand words

20140414 Update #2
The server's private key can be obtained. This is confirmed. See here.

Update #1:
Apparently NSA KNEW about this since years ago. Surprised? Not really...

Well explained. Picture taken from xkcd -

How bad is heartbleed? Very bad. It affects not only https. But all other applications, servers , routers, firewalls that use OpenSSL.

We have heard all the bad news. But, there is a little good news. Retrieving private keys may not be that easy. This post explains it all. However, getting passwords are still easy if you are lucky (well, try a few times). There are a few websites that you can use to check if a website is vulnerable, but done give you the dumps. Here is the python script that give you the dump.
Tips: run it in debug mode.