For our own safety and benefito of combined HTTP/HTTPS servers for
Subversion worldwide: is there a published test to verify that HTTP
servers do not have the same flaw due to also being configured for
SSL?
On Sat, Apr 12, 2014 at 2:33 PM, Ben Reser <ben_at_reser.org> wrote:
> On 4/12/14, 1:30 AM, Thorsten Schöning wrote:
>> Are you sure about that? From my understanding it is necessary that
>> data passes OpenSSL's memory to get retrieved because it implements
>> it's own malloc. I had the feeling that in case of heartbleed only
>> sending passwords over http would have been the "more secure" way
>> because in that case they wouldn't have been retrievable because they
>> never passed memory allocated using OPENSSL_malloc() at all.
>
> No that's not accurate at all. The malloc implementation doesn't matter at
> all, the process can read memory that's allocated by any memory allocator.
> Ultimately all of them have to use the same kernel interfaces to request the
> memory.
>
> The requirements are that the memory be allocated in a larger memory address
> than the memory being used for the heartbeat feature and that it be within 64k
> of that memory space. With memory fragmentation and a lot of requests just
> about anything can be retrieved.
>
>
Received on 2014-04-13 00:41:51 CEST