On Fri, 2014-04-11 at 20:01 +0200, Carlos E. R. wrote:
On 2014-04-11 16:41, Per Jessen wrote:
Wild guessing - if you have TSL enabled in your mail-server, I guess the vulnerability could have been used to extract data from it, but if your private key was never on that system ...
I know little of how the vulnerability works, but apparently they trick the machine (client? server? both?) to freely send a copy of 64 KB of RAM, which may contain anything. I don't clearly know if they can walk all memory, or just memory from the process that responds, or the memory assigned to the user of that process, or just one 64 KB block, where a particular buffer should have been assigned, but was not really assigned (ie, a non initialized pointer?). Or the block was assigned but not erased previous to been used.
regarding TLS-secured daemons, it might be a big step get store all of those private keys into a HSM. All crypting/decrypting is done by the crypto-engine: off-line, so the private-key is never in the servers-mem -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org