6 thoughts on “Sony Online Entertainment Quickly Patches for Heartbleed Bug

  1. This “heartbleed bug” reminds me far too much of the “Y2K” bug.

    Lots of angst and no evidence of anyone even trying to exploit it. Also no coherent explanation of how the transmission of an almost random 64k chunk of memory would be mapped to useful data.

    Yes users of the OpenSSL library need to patch it, and consider other measures but the hype is extraordinary.

  2. Milli, it’s not theoretical and no fingerprints because it doesn’t require elevated permission to access the memory in 64k chunks (along other reasons). You can get a different chunk each handshake request.
    It’s so serious because you can get the private key for the servers that can be used at will until they renew them (which could cost and be deferred). So, even patching doesn’t remove the threat until keys and passwords are changed.

    1. You do not understand the nature of the bug. The client sends a request that returns a known two byte string followed by the remainder of a 64k chunk of memory. Repeated request do not increment the chunk being returned (the same chunk could, theoretically, be returned over and over again. The more likely outcome of repeated requests is slightly different 64k chunks, all beginning with the same two byte string (it is sent in the request and returned). Yes there has been a demonstration of the concept of key recovery. However no details have been provided of how many requests were sent or if the demonstration included multiple non-hacking clients as well as the hacking client. You should also read http://arstechnica.com/security/2014/04/how-heartbleed-transformed-https-security-into-the-stuff-of-absurdist-theater/

Leave a Reply