This could, in theory, allow discovering IDs of sessions that are either active or cached on the server end. IDs are passed in clear between SSL peers, so being able to recover them doesn't compromise the security of the protocol.<p>That said, this can be used to estimate the size of the server's session list and to covertly measure and monitor the volume of its activity. This can come handy in some cases, but then splicing into server's Internet connection and passively listening to the traffic would yield the same information with much less fuss.
Follow-up email: <a href="http://seclists.org/fulldisclosure/2014/Apr/149" rel="nofollow">http://seclists.org/fulldisclosure/2014/Apr/149</a><p>> Not used anywhere though, just a corpse lying around in the code. — Jann Horn
I don't see this function called anywhere in the OpenSSL source, or, for instance, the Apache source code. Could you clarify on this post?<p>EDIT: I see it exposed in 0.9.8y. Anyone know of anything that builds against this specifically and uses it?
Is it actually feasible to do a timing attack using memcpy?<p>I've been testing a bit locally, as in within the same process, without any luck. I have a hard to seeing how this would work, especially when you add network latency.<p>Does anyone have any proof-of-concept code that actually exploits memcpy with a timing attack?
Heartbleed I just about understand, as despite this not being my field, smart people successfully summarized it in an easily digestible way so that I could even explain it to my mum. Can someone ELI5 this too please?