Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible
Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge.
Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they've not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones.
Update: If you're wondering how he did it, Indutny has posted more details and the script on his blog.
Image credit: snoopsmaus/Flickr
Just cracked @CloudFlare 's challenge: https://t.co/8ZPSxyKF4D . I wonder when they'll update the page.
- Fedor Indutny (@indutny) April 11, 2014
Looks like @indutny got the challenge key! (Which is both exciting and terrifying.) Haven't confirmed used #heartbleed. Updates soon!
- Matthew Prince (@eastdakota) April 12, 2014
Private key has been successfully extracted from an nginx server using Heartbleed by @indutny: https://t.co/iIrwwSVpco Worst case scenario.
- John Resig (@jeresig) April 12, 2014
Congratulations to Fedor Indutny (@indutny) and Illkka Mattila for solving the CloudFlare Heatbleed Challenge. https://t.co/hze0MXM7OF
- Nick Sullivan (@grittygrease) April 12, 2014