Searching for The Prime Suspect: How Heartbleed Leaked Private Keys

Published on by John Graham-Cumming.

Within a few hours of CloudFlare launching its Heartbleed Challenge the truth was out. Not only did Heartbleed leak private session information (such as cookies and other data that SSL should have been protecting), but the crown jewels of an HTTPS web server were also vulnerable: the private SSL keys

The Heartbleed Aftermath: all CloudFlare certificates revoked and reissued

Published on by Nick Sullivan.

Eleven days ago the Heartbleed vulnerability was publicly announced. Last Friday, we issued the CloudFlare Challenge: Heartbleed and simultaneously started the process of revoking and reissuing all the SSL certificates that CloudFlare manages for our customers. That process is now complete. We have revoked and reissued every single certificate we

Certificate Revocation and Heartbleed

Published on by Nick Sullivan.

As you may have noticed, the CloudFlare Heartbleed Challenge has been solved. The private key for the site cloudflarechallenge.com has been obtained by several authorized attackers via the Heartbleed exploit. Any person who obtained the private key will be able to impersonate cloudflarechallenge.com, as Fedor Indutny demonstrated when

The Results of the CloudFlare Challenge

Published on by Nick Sullivan.

Earlier today we announced the Heartbleed Challenge. We set up a nginx server with a vulnerable version of OpenSSL and challenged the community to steal its private key. The world was up to the task: two people independently retrieved private keys using the Heartbleed exploit. The first valid submission was