• Home
  • About

Saved searches

  • Remove
  • Verified account @
Suggested users
  • Verified account @
  • Verified account @
  • Language: English
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English UK
    • Español
    • Filipino
    • Français
    • Hrvatski
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Ελληνικά
    • Български език
    • Русский
    • Српски
    • Українська мова
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Have an account? Log in
    Have an account?
    · Forgot password?
    New to Twitter?
    Sign up
By using Twitter’s services you agree to our Cookie Use and Data Transfer outside the EU. We and our partners operate globally and use cookies, including for analytics, personalisation, and ads.
neelmehta's profile
Neel Mehta
Neel Mehta
Neel Mehta
@neelmehta

Neel Mehta

@neelmehta

Plagued by asymmetry; astounded by stupidity.

Joined June 2009
  • © 2016 Twitter
  • About
  • Help
  • Terms
  • Privacy
  • Cookies
  • Ads info
Dismiss
Previous
Next

Go to a person's profile

Saved searches

  • Remove
  • Verified account @
Suggested users
  • Verified account @
  • Verified account @

Retweet this to your followers?

Optional comment for Retweet
 
 

Saved searches

  • Remove
  • Verified account @
Suggested users
  • Verified account @
  • Verified account @
140

Are you sure you want to delete this Tweet?

Promote this Tweet

Block

  • Add a location to your Tweets

    When you tweet with a location, Twitter stores that location. You can switch location on/off before each Tweet and always have the option to delete your location history. Learn more

    Profile summary

    Your lists

    Create a new list

    Under 100 characters, optional
    Privacy

    Your reply includes the people in this conversation up to this point. Learn more

    Copy link to Tweet

    Embed this Tweet

    Embed this Video

    Add this Tweet to your website by copying the code below. Learn more

    Add this video to your website by copying the code below. Learn more

    Hmm, there was a problem reaching the server.

    Preview

    Log in to Twitter

    · Forgot password?
    Don't have an account? Sign up »

    Sign up for Twitter

    Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

    Sign up
    Have an account? Log in »

    Two-way (sending and receiving) short codes:

    Country Code For customers of
    United States 40404 (any)
    Canada 21212 (any)
    United Kingdom 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Ireland 51210 Vodafone, O2
    India 53000 Bharti Airtel, Videocon, Reliance
    Indonesia 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italy 4880804 Wind
    3424486444 Vodafone
    » See SMS short codes for other countries

    Confirmation

     

    Buy Now

    Hmm... Something went wrong. Please try again.

    Previous Tweet Next Tweet
    Neel Mehta ‏@neelmehta 8 Apr 2014

    Heap allocation patterns make private key exposure unlikely for #heartbleed #dontpanic.

    • Retweets 268
    • Likes 80
    • Hyde Chris McNab Morgane Oger Yatharth Agarwal Christian Roman fows.de Charles Lavery TrickyJ Gaurang Mengar
    1:08 PM - 8 Apr 2014
    268 retweets 80 likes
      1. Tomas Rzepka ‏@1njected 8 Apr 2014

        @neelmehta @tqbf We can extract the private key successfully on FreeBSD after restarting apache and making the first request with ssltest.py

        83 retweets 35 likes
      2. View other replies
      3. Mako ‏@makomk 9 Apr 2014

        @thegrugq @1njected Cool! I've recovered it from Apache on Gentoo as a bare prime factor in binary, but your demo's a lot clearer.

        5 retweets 3 likes
      4. Tomas Rzepka ‏@1njected 9 Apr 2014

        @makomk @thegrugq Cool, do need to restart apache or just send enough requests?

        0 retweets 0 likes
      5. View other replies
      6. Mako ‏@makomk 11 Apr 2014

        @1njected @thegrugq With hints from https://news.ycombinator.com/item?id=7573377  got reliable extraction from Apache defaults on Debian:pic.twitter.com/uWKQnMkaNB

        19 retweets 16 likes
    2. Ben Grubb ‏@bengrubb 8 Apr 2014

      @neelmehta How certain are you about that?

      0 retweets 0 likes
    3. Manish Jethani ‏@100101010000 11 Apr 2014

      Can we panic now? @neelmehta https://www.cloudflarechallenge.com/heartbleed  #Heartbleed

      1 retweet 1 like
      1. Michael Calkins ‏@qbasicmichael 9 Apr 2014

        @neelmehta @ex509 Does exploiting this never cause access violation exceptions, by reading beyond the heap allocation into an invalid page?

        0 retweets 0 likes
      2. Sean Cassidy ‏@sean_a_cassidy 9 Apr 2014

        @qbasicmichael @neelmehta http://article.gmane.org/gmane.os.openbsd.misc/211963 …

        0 retweets 1 like
    5. Robert McMillan ‏@bobmcmillan 10 Apr 2014

      @neelmehta Hey Neel. Do you still feel that private key exposure is unlikely? Just wondering if your thinking has changed in the past days.

      0 retweets 0 likes
    6. Paulo Barreto ‏@pbarreto 9 Apr 2014

      @neelmehta @bsdaemon Don't panic? Really? http://blog.erratasec.com/2014/04/600000-servers-vulnerable-to-heartbleed.html … #heartbleed

      0 retweets 0 likes
    7. Root Labs ‏@rootlabs 9 Apr 2014

      @neelmehta Aren't you giving people false hope here? I'd recommend immediate private key replacement for vulnerable servers.

      0 retweets 0 likes
    8. Andreas ‏@i_x_s 9 Apr 2014

      @neelmehta during out tests yesterday we did find parts of private keys in memory. Reconstruction _might_ be possible from multiple dumps.

      0 retweets 0 likes
    9. Chris Woodfield ‏@cwoodfield 8 Apr 2014

      @neelmehta @j4cob Sometimes "unlikely" Just Isn't Good Enough. Yes, your underwear should be turning that color right now.

      0 retweets 0 likes
    10. andreasdotorg ‏@andreasdotorg 8 Apr 2014

      @neelmehta Exposing parameters of previous requests was bad enough.

      0 retweets 0 likes
    11. Greg Slepak ‏@taoeffect 8 Apr 2014

      @neelmehta All systems or some? How likely? More info?

      0 retweets 0 likes
    12. nicKm -1 dude-1 love ‏@nickm 9 Apr 2014

      @neelmehta thanks for this comment. I wasn't sure of this and doubting that keys could be exposed. I think I may still update my keys tho!:)

      0 retweets 0 likes
    13. Attila Bukor ‏@r1pp3rj4ck 9 Apr 2014

      @neelmehta @lsmith still, banks and other likely targets should definitely revoke their certificates and create new ones...

      0 retweets 0 likes
    14. ◐ Benedict ‏@e2b 8 Apr 2014

      @neelmehta Any details?

      0 retweets 0 likes
      1. VolkerMos ‏@VolkerMos 8 Apr 2014

        @neelmehta @ex509 source?

        0 retweets 0 likes
      2. Diti ‏@DitiPengi 8 Apr 2014

        @VolkerMos Are you serious? You are talking to one of the discoverers of the vulnerability. (cc @neelmehta @ex509)

        0 retweets 0 likes

    Loading seems to be taking a while.

    Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

      Promoted Tweet

      false

      • © 2016 Twitter
      • About
      • Help
      • Terms
      • Privacy
      • Cookies
      • Ads info