Heartbleed-ing out
Another flaw that gained a ton of press and attention is the very serious Heartbleed vulnerability (CVE-2014-0160, http://heartbleed.com). Unlike POODLE, this couldn't just be configured away but requires a patch to the underlying OpenSSL software that was used by roughly three-quarters of internet-connected hosts at the time. Where POODLE allows an attacker to guess a session cookie one byte at a time, Heartbleed is a vulnerability that allows the attacker to read all of the private encryption keys, usernames and passwords, certificates, and all the protected communications on a vulnerable host. Whereas POODLE seems to be an academic exercise against a long-replaced cipher category, Heartbleed impacted the vast majority ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access