As you may have noticed, the CloudFlare Heartbleed Challenge has been solved. The private key for the site has been obtained by several authorized attackers via the Heartbleed exploit.

Any person who obtained the private key will be able to impersonate, as Fedor Indutny demonstrated when proving he had the private key.

We have decided to revoke the certificate, but leave the site active so people can test their browsers. As we mentioned in a previous blog post, revocation is not a foolproof process. Each browser behaves differently when it encounters an expired certificate. If you are still able to visit the challenge site, you might have to change your browser settings.

Browser Behavior

Internet Explorer and Safari give warnings, but allow the user to bypass them.

Safari warning
Safari's warning

IE warning
IE's warning

Firefox fully denies access to sites using a revoked certificate.
Firefox warning
Firefox's warning

Chrome allows the site to load with no warning. This is because online revocation checking is disabled by default. Instead, Chrome uses a proprietary method called CRLSets which relies on a pre-compiled list of revoked certificates. Scott Helme describes how to enable online verification in the Chrome advanced settings:
Chrome revocation setting

It is more important than ever to check certificates to see if they have been revoked. According to Netcraft that certificate revocation has gone up sharply since the Heartbleed vulnerability was announced.

Netcraft statistics

We expect this trend to continue as more websites evaluate the risk that their private keys were stolen though Heartbleed. If your site was vulnerable to Heartbleed, we encourage you to talk to your CA to revoke your certificate an rekey.

I will be giving a webinar about this topic next week with updates. You can register for that here.