Comment by rmc
12 years ago
It might be able to read the memory of the ssl server that's making the response. Including maybe the ssl private key
12 years ago
It might be able to read the memory of the ssl server that's making the response. Including maybe the ssl private key
Yes, to be clear (esp. for others reading this thread) this is really bad, but shouldn't be able to compromise your ssh server keys.
However -- ssl certs and session keys are a likely target, and combined with passively logging traffic that is enough to compromise all data going over ssl, such as login/passwords and data.
Problem servers include not only web servers, but also imap/pop and smtp servers supporting tls (via openssl -- afaik gnutls isn't vulnerable to this bug).