I don’t think so. Master thread loads SSL certs, childs connect to master thread so I think the key would already be loaded and passed on. Seems like this would squeeze the memory.
You would need to crash a HTTP server and force the restart while capturing for a private key to get dumped. Not 100% sure but don’t see how loading private keys every time there was a child would be the best memory usage.
Some people just like to feel important by causing panic.
I get all that I was just trying to figure out some angle to cause all the panic 
A lot of places are advising everyone to get all new certs
LZ wanted to publish yahoo.com’s private key on pastebin
This bug is going to be super useful for years to come on internal assessments.
All kinds of internal apps for companies never update this shit and once you have creds its usually easy to elevate privileges or find some other bug.
^ Shows some of the big ones affected and lists if they’re patched yet or not.
Just got done changing my gmail, yahoo and facebook passwords.
It isn’t. There was the mass hysteria that it was possible and yes, it was but the only shot it would leak is on a reboot or the quick instant that it is allocated to memory. No company would want to be the one that didn’t change their private keys and be blamed if they were the 0.001% that maybe leaked them.
malloc() dumps recent memory so you aren’t really getting SSL keys even right after a web server reboot or system reboot. The memory heap is used for something else pretty quickly so from a web server, you are getting user sessions and usernames that are passed for the most recent connections in 64k chunks. Some apps may be better at exploiting the SSL keys depending on how they are written tho as there may not be as much memory writing depending on what they are doing. Small app on big server could mean trouble. Can test this pretty simple with a small NodeJS app. Run it with SSL turned on, just output text and see if you can dump the key.
Either way, the bug is pretty cool how it works and dumb programming for sure.
Two factor auth is your friend. May know my Gmail password but still need my phone every login.
We’re getting all new Certs issued on affected machines. We hammered our vendor with requests.
Did you regenerate your CSRs or just the reissue for the cert?
I just spent a night going through 38 servers patching SSL and regenerating certs. My god are the providers getting hammered with requests.
I believe our instructions to the application owners was to re-generate AND re-sign. Most people just follow the KB article that we have posted which instructs the user to generate the CSR, so they’re probably doing that even if they don’t realize it.
Ya probably. One the risk was that everything was leaked, I would imagine the notice was to regenerate everything. Lol.
Such a cluster fuck
I’m curious if people are auditing the fuck out of OpenSSL now.
Yeah we let the server guys make the announcement to the users that were impacted since they were the ones communicating the patch process. We (infosec) spent most of our time identifying machines affected and making sure they were in the patch process.
This tied up a bunch of my time yesterday, thanks Obama!
Work smashed together a bunch of the information - http://accuvantstorage.blob.core.windows.net/web/file/2016b4dc040c49ee991b5721e0dd62b3/HeartBleed-Bug-CVE-2014-0160-release.pdf
Yahoo compromised? Millions of spammers and old people must be panicking
Here’s the fix for those who suck at computers:
I guess that answers that - https://www.cloudflarechallenge.com/heartbleed
However the server was rebooted during testing
