Subscribe to receive notifications of new posts:

Subscription confirmed. Thank you for subscribing!

Certificate Revocation and Heartbleed


As you may have noticed, the CloudFlare Heartbleed Challenge has been solved. The private key for the site has been obtained by several authorized attackers via the Heartbleed exploit.

Any person who obtained the private key will be able to impersonate, as Fedor Indutny demonstrated when proving he had the private key.

We have decided to revoke the certificate, but leave the site active so people can test their browsers. As we mentioned in a previous blog post, revocation is not a foolproof process. Each browser behaves differently when it encounters an expired certificate. If you are still able to visit the challenge site, you might have to change your browser settings.

Browser Behavior

Internet Explorer and Safari give warnings, but allow the user to bypass them.

Safari warning
Safari's warning

IE warning
IE's warning

Firefox fully denies access to sites using a revoked certificate.
Firefox warning
Firefox's warning

Chrome allows the site to load with no warning. This is because online revocation checking is disabled by default. Instead, Chrome uses a proprietary method called CRLSets which relies on a pre-compiled list of revoked certificates. Scott Helme describes how to enable online verification in the Chrome advanced settings:
Chrome revocation setting

It is more important than ever to check certificates to see if they have been revoked. According to Netcraft that certificate revocation has gone up sharply since the Heartbleed vulnerability was announced.

Netcraft statistics

We expect this trend to continue as more websites evaluate the risk that their private keys were stolen though Heartbleed. If your site was vulnerable to Heartbleed, we encourage you to talk to your CA to revoke your certificate an rekey.

I will be giving a webinar about this topic next week with updates. You can register for that here.

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.

Heartbleed HTTPS Reliability SSL Community

Follow on Twitter

Nick Sullivan |@grittygrease
Cloudflare |Cloudflare

Related Posts