What are pre-requisites for Heartbleed exploit? [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed 9 years ago.

Improve this question

I have read http://heartbleed.com/ and searched extensively and I cannot understand this basic point.

For example, Wikipedia shows an attacker sending a bogus heartbeat request to a vulnerable server and getting a bunch of private data in reply including SSL keys etc: https://en.wikipedia.org/wiki/Heartbleed

However, the question I have is: can this attacker be ANYONE? Or does the attacker already need to have access to an account on the server?

I am surprised I am having trouble finding this info because it seems to me that the answer helps clarify the significance of the vulnerability for a given server.

For example: if you have a small "private" server with accounts given only to trusted people who follow good security practices, and you are reasonably certain these accounts were not compromised, does that mean you are (most likely) in the clear? Or is there some way for an attacker to get the data without even stealing a login?

Answer 1

Anyone who can connect to the server can get leaked information. The most probable way of exploiting the Heartbleed is connecting to your web server with HTTPS. Since encrypting the traffic is usually handled by OpenSSL, you can gain the secret key used to encrypt the traffic and decrypt it yourself. To use the exploit, you don't need to have user accounts on the server.