Latest in Certificate

Image credit:

Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible

Richard Lawler, @Rjcc
April 11, 2014
Share
Tweet
Share

Sponsored Links

Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge.

Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they've not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones.

Update: If you're wondering how he did it, Indutny has posted more details and the script on his blog.

Image credit: snoopsmaus/Flickr



All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Garmin's new smartwatch lets streamers show real-time heart rates

Garmin's new smartwatch lets streamers show real-time heart rates

View
Jabra's ANC update for the Elite 75t earbuds is now available

Jabra's ANC update for the Elite 75t earbuds is now available

View
Huawei’s Mate 40 Pro is another powerful flagship that you won't buy

Huawei’s Mate 40 Pro is another powerful flagship that you won't buy

View
The Apple TV app is coming to PS4 and PS5

The Apple TV app is coming to PS4 and PS5

View
Amazon Echo (2020) review: Small in stature, mighty in sound

Amazon Echo (2020) review: Small in stature, mighty in sound

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr