Subscribe to receive notifications of new posts:

Certificate Revocation and Heartbleed

04/12/2014

2 min read

As you may have noticed, the CloudFlare Heartbleed Challenge has been solved. The private key for the site cloudflarechallenge.com has been obtained by several authorized attackers via the Heartbleed exploit.

Any person who obtained the private key will be able to impersonate cloudflarechallenge.com, as Fedor Indutny demonstrated when proving he had the private key.

We have decided to revoke the certificate, but leave the site active so people can test their browsers. As we mentioned in a previous blog post, revocation is not a foolproof process. Each browser behaves differently when it encounters an expired certificate. If you are still able to visit the challenge site, you might have to change your browser settings.

Browser Behavior

Internet Explorer and Safari give warnings, but allow the user to bypass them.

Safari warning
Safari's warning

IE warning
IE's warning

Firefox fully denies access to sites using a revoked certificate.
Firefox warning
Firefox's warning

Chrome allows the site to load with no warning. This is because online revocation checking is disabled by default. Instead, Chrome uses a proprietary method called CRLSets which relies on a pre-compiled list of revoked certificates. Scott Helme describes how to enable online verification in the Chrome advanced settings:
Chrome revocation setting

It is more important than ever to check certificates to see if they have been revoked. According to Netcraft that certificate revocation has gone up sharply since the Heartbleed vulnerability was announced.


Netcraft statistics

We expect this trend to continue as more websites evaluate the risk that their private keys were stolen though Heartbleed. If your site was vulnerable to Heartbleed, we encourage you to talk to your CA to revoke your certificate an rekey.

I will be giving a webinar about this topic next week with updates. You can register for that here.

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
HTTPSReliabilitySSLCommunityVulnerabilitiesSecurity

Follow on X

Nick Sullivan|@grittygrease
Cloudflare|@cloudflare

Related posts

June 23, 2023 1:00 PM

How we scaled and protected Eurovision 2023 voting with Pages and Turnstile

More than 162 million fans tuned in to the 2023 Eurovision Song Contest, the first year that non-participating countries could also vote. Cloudflare helped scale and protect the voting application based.io, built by once.net using our rapid DNS infrastructure, CDN, Cloudflare Pages and Turnstile...