Latest in Certificate

Image credit:

Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible

Richard Lawler, @Rjcc
April 11, 2014
94 Shares
Share
Tweet
Share

Sponsored Links

Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge.

Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they've not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones.

Update: If you're wondering how he did it, Indutny has posted more details and the script on his blog.

Image credit: snoopsmaus/Flickr



All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
94 Shares
Share
Tweet
Share

Popular on Engadget

Engadget's 2020 Back-to-School Guide

Engadget's 2020 Back-to-School Guide

View
A $13,000 electric car will go on sale in the US by late 2020

A $13,000 electric car will go on sale in the US by late 2020

View
Alleged Twitter hacker was previously caught stealing a fortune in Bitcoin

Alleged Twitter hacker was previously caught stealing a fortune in Bitcoin

View
Tesla is reportedly close to making a more affordable Model Y

Tesla is reportedly close to making a more affordable Model Y

View
The Google Pixel 4a vs. the competition: The midrange heats up

The Google Pixel 4a vs. the competition: The midrange heats up

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr