CloudFlare keys snatched using Heartbleed

Summary:CloudFlare's analysis Friday that Heartbleed may not be able to recover private keys turns out to be wrong. Two candidates recovered the keys from their challenge server.

Two successful attempts have been made at recovering private server keys from CloudFlare's Heartbleed challenge server.

The two winners are Fedor Indutny and Illkka Mattila. Indutny, who succeeded first, made 2.5 million Heartbleed requests over the course of the day and Mattila made 100,000.

CloudFlare rebooted the server at one point during the test which they say may have contributed to the successful attempt, but

As Dan Kaminsky points out, even the researcher who found Heartbleed thought what CloudFlare thought:

Kaminsky makes other good points and his blog is well-worth reading if you are a system administrator or CISO affected by Heartbleed. His advice is to patch immediately, especially Internet-facing systems. This should be your immediate focus before dealing with revoking and reissuing certificates or helping users change passwords.

Topics: Security


Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.