*modest cough*
http://forums.theregister.co.uk/forum/1/2014/09/25/shell_shocked_not_yet/#c_2309628
Media hype is affecting vendors’ patching strategies to the detriment of internet security, vulnerability management firm Secunia warns. The high-profile Heartbleed OpenSSL vulnerability triggered the mass patching of 600 products by more than 100 vendors within just 40 days. A further OpenSSL vulnerability from June 2014 led …
"There's nothing "only" about a flaw that exposes usernames and password in plaintext."
Although the POTENTIAL was there to expose usernames and passwords, it was still wildly a crap shoot as to what information you could actually obtain from the random memory locations. The fact that you couldn't easily detect an attack is what made it so hard to accurately determine the level of the data leak.
"Although the POTENTIAL was there to expose usernames and passwords, it was still wildly a crap shoot as to what information you could actually obtain from the random memory locations."
It's not about what information YOU, or you or you could gain, it's what information was gained, after how long....and by those government types? I'm sure you (or us) gained very little information, but then we don't have an endless budget, we have to go to work in the morning, perhaps kids afterward (if you're unlucky).......
Trillions (or more) of SSL connections and you have the means to capture it all, and all the supercomputers you can dream of at your disposal, + an around-the-clock staff. Any flaw in the armor of privacy is critical.
This is another worthless register article. Who gives a shit about a logo. Execs, that's who. And if that's what it takes to get their attn, then stick a dagger in that heart. I'm not a fan of c-wing response to critical vulns, but if it gets them to FINALLY listen to security, then slap a big titty / cock on the front page and grab their attention.
Although the POTENTIAL was there to expose usernames and passwords, it was still wildly a crap shoot as to what information you could actually obtain from the random memory locations.
Sigh. Due to OpenSSL's custom (rubbish) memory allocator, typical Heartbleed-vulnerable servers could be induced to disclose private keys with high probability. After that it is Game Fucking Over.
A number of people - Randall Munroe, for example - ran actual real-world tests on Heartbleed vulnerabilities in extant servers. The results showed conclusively that the problem was severe.
Referring to it as a "crap shoot" greatly underestimates the likelihood of exposing sensitive data. OpenSSL's architecture is near-optimal for this sort of attack.