XarothBrook
Highest Rated Comments
XarothBrook37 karma
While I do agree with your assumption; do keep in mind that it was the webserver hosting the tests that was also doing the logging; this means that the webserver has a complete log of all systems that failed the test.
Let's assume that /u/FiloSottile was of malicious intent; he would be able to use that list to steal hundreds, if not thousands of keys from systems as people continued to run the tests on his site.
Now this is an extreme case, but I'm sure you can imagine the discussions one can have (like we had in our office) about blind trust, hours after a debacle like heartbleed
XarothBrook132 karma
Hi Filippo,
Perhaps not something most people noticed, but why is your go app writing down the results of every request made to a log?
edit: https://github.com/FiloSottile/Heartbleed/blob/master/bleed_serve.go#L66-L79
View HistoryShare Link