On 26 April 2014 03:38, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote: > On Wed, 2014-04-23 at 23:26 -0400, Rahul Sundaram wrote: >> millions and millions of affected users who had to go ahead and change >> passwords for many many things they rely on > > One thing I haven't seen mentioned, here nor elsewhere, was whether the > bug could only affect you if they tried to hack the server while you > were using it. Or if it was possible to extra useful data well after > you had been and gone. Since it's talking about reading data beyond > what's expected, I suspect it may be that you were vulnerable even > sometime after your session, if the server hadn't re-used the memory for > something else, yet. > The simplest 'backwards' exploit is if the private keys were stolen then other encrypted traffic captured which had used the same keys could then be decoded. Though IIUC 'perfect forward secrecy' should reduce the risk of that. As you say there's also whatever data is still in memory, that's a shorter window. I don't know how Apache memory is structured, but I'd speculate there's the potential to leak hashed passwords there. -- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
