In order for a Heartbleed attack to happen and for someone to grab the SSL private key and even spy they have to be on the local network with a router, switch or server, correct?
Or can this be done to any server directly over the internet? I always thought packet sniffing had to be done locally
Heartbleed does not have anything related to packet sniffing for the exploit to work. It is exploiting an buffer overflow bug which then gain accesses to the server memory. A normal heartbeat request would be like
User : request server to reply "Hello"
Server: reply "Hello"
Now after exploiting the buffer overflow
User : request server to reply - part of their stored memory
Server : reply - stored memory that might contains private key, password and whatever data that is stored on their memory.
In summary, heartbleed steals the information but sending abnormal request to the server to return part of their memory data instead of simple "Hello" packets.
