This morning, content distribution network Cloudflare gave some hope to those affected by the Heartbleed security flaw with an announcement that the bug might not be as bad as feared. In two weeks of testing, Cloudflare said, its researchers failed to exploit the bug to steal a website’s private SSL keys, which secures the data sent to users. It issued a challenge to white-hat hackers to successfully retrieve the private security keys — and unfortunately for the web, one of them succeeded.
The widely-used open source library OpenSSL revealed on Monday it had a major bug, now known as “heartbleed”. By sending a specially crafted packet to a vulnerable server running an unpatched version of OpenSSL, an attacker can get up to 64kB of the server’s working memory. This is the result of a classic implementation bug known as a Buffer over-read There has been speculation that this vulnerability could expose server certificate private keys, making those sites vulnerable to impersonation. This would be the disaster scenario, requiring virtually every service to reissue and revoke its SSL certificates. Note that simply reissuing certificates is not enough, you must revoke them as well.