If one were using ASLR would this have mostly mitigated this? (I just rebuilt wi... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		anaphor on April 8, 2014 \| parent \| context \| favorite \| on: OpenSSL Security Advisory: TLS heartbeat read over... If one were using ASLR would this have mostly mitigated this? (I just rebuilt without the heartbeat extension but I'm curious). Also how exploitable is this?

mpyne on April 8, 2014 | [–]

I don't think ASLR helps here one single bit.

ccpost on April 8, 2014 | [–]

I've been running the exploit against our test app (through AWS ELB), and have managed to get a fair bit of data out. Got snippets from HTTP requests on other threads including session cookies and even login passwords.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact