Fedor Indutny, a core member of the node.js team, has proved that it is in fact possible for an attacker to sniff out the private SSL keys from a server left exposed by the Heartbleed bug. The proof came in response to a challenge from CloudFlare that called on the security community to grab the keys from a demo server.
The public revelation of Heartbleed rocked the tech world earlier this week. The bug, an innocuous mistake in the “heartbeat” protocol of the critical SSL standard, had for years put the majority of the Web at risk of having exposed encryption keys, passwords and other sensitive data. To make matters worse, the exploit is virtually undetectable, making it difficult to tell whether attackers had already discovered the bug and taken advantage of it.
F**k it, we'll do it live!
Our biggest ever edition of TNW Conference is fast approaching! Join 10,000 tech leaders this May in Amsterdam.
CloudFlare set up the competition after its own team was unsuccessful in exposing their own servers’ keys during testing. The company posited earlier on Friday that using Heartbleed to get private keys is “at a minimum very hard…it may in fact be impossible.”
Sadly, it appears that this level of attack is in fact possible. Ferreting out the private keys didn’t even prove to be particularly time intensive, as Indutny claims his final script took just three hours to track down the private SSL key. Server administrators who have put off revoking and re-issuing and their SSL certificates should definitely take note.
— Fedor Indutny (@indutny) April 11, 2014
CloudFlare has promised to provide details about how Indutny obtained the keys, but neither party is likely to reveal the exact method right away in order to give administrators more time to change their SSL credentials. Matthew Prince, CloudFlare’s CEO did mention that he suspects that the keys were leaked when the team rebooted the challenge server.
Revoking SSL certificates will be a time-intensive and expensive process for website owners, but failure to do so jeopardizes them and their users, as attackers that have the private keys can impersonate servers even if they have already been patched.
Featured Image Credit – Håkan Dahlström / Flickr