At the end of last week, engineers at CloudFlare said that they had been unable to exploit the Heartbleed bug to steal SSL keys from a server:
We’ve spent much of the time running extensive tests to figure out what can be exposed via Heartbleed and, specifically, to understand if private SSL key data was at risk.
Here’s the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data.
So, they set the internet a challenge - putting a test server online and inviting people to try to grab its private server keys by exploiting the so-called Heartbleed vulnerability in OpenSSL.
This site was created by CloudFlare engineers to be intentionally vulnerable to heartbleed. It is not running behind CloudFlare’s network. We encourage everyone to attempt to get the private key from this website. If someone is able to steal the private key from this site using heartbleed, we will post the full details here.
Well, they soon got an answer. And it wasn't the good news we might have all wished for.
Within hours, software engineer Fedor Indutny was revealed to have recovered the private keys from the web server.
— Fedor Indutny (@indutny) April 11, 2014
Indutny claimed on Twitter that it took a script he wrote for the purpose took just three hours to hunt down the private SSL key.
CloudFlare confirmed Indutny's success, and speculated that because they had rebooted the server at one point that might have contributed to the challenger's successful exfiltration of their server's secret key.
One thing is clear. If you administer a server and have so far put off revoking and reissuing your SSL certificates, it might be time to think again.
If you don't, you could be putting your users and online customers in jeopardy.
- The NSA knew about Heartbleed bug for two years, claims report
- Heartbleed bug explained by xkcd in a way anyone can understand
- In the wake of Heartbleed, watch out for phishing attacks disguised as password reset emails
- Here’s some really bad Heartbleed bug advice about changing your passwords
- Heartbleed OpenSSL bug: An FAQ for Mac, iPhone and iPad users
- Did the Heartbleed bug leak your Yahoo password?
- The Heartbleed bug: serious vulnerability found in OpenSSL cryptographic software library