On 4/12/14, 1:30 AM, Thorsten Schöning wrote: > Are you sure about that? From my understanding it is necessary that > data passes OpenSSL's memory to get retrieved because it implements > it's own malloc. I had the feeling that in case of heartbleed only > sending passwords over http would have been the "more secure" way > because in that case they wouldn't have been retrievable because they > never passed memory allocated using OPENSSL_malloc() at all.
No that's not accurate at all. The malloc implementation doesn't matter at all, the process can read memory that's allocated by any memory allocator. Ultimately all of them have to use the same kernel interfaces to request the memory. The requirements are that the memory be allocated in a larger memory address than the memory being used for the heartbeat feature and that it be within 64k of that memory space. With memory fragmentation and a lot of requests just about anything can be retrieved.
