For our own safety and benefito of combined HTTP/HTTPS servers for Subversion worldwide: is there a published test to verify that HTTP servers do not have the same flaw due to also being configured for SSL?
On Sat, Apr 12, 2014 at 2:33 PM, Ben Reser <b...@reser.org> wrote: > On 4/12/14, 1:30 AM, Thorsten Schöning wrote: >> Are you sure about that? From my understanding it is necessary that >> data passes OpenSSL's memory to get retrieved because it implements >> it's own malloc. I had the feeling that in case of heartbleed only >> sending passwords over http would have been the "more secure" way >> because in that case they wouldn't have been retrievable because they >> never passed memory allocated using OPENSSL_malloc() at all. > > No that's not accurate at all. The malloc implementation doesn't matter at > all, the process can read memory that's allocated by any memory allocator. > Ultimately all of them have to use the same kernel interfaces to request the > memory. > > The requirements are that the memory be allocated in a larger memory address > than the memory being used for the heartbeat feature and that it be within 64k > of that memory space. With memory fragmentation and a lot of requests just > about anything can be retrieved. > >
