Private keys may be inaccessible to Heartbleed

[UPDATED] Research by CloudFlare indicates that Heartbleed can be used to obtain contents of server memory, but not private keys.

[UPDATE: Well that didn't take long. Two people have been successful at the CloudFlare challenge and have captured the private keys. Cloudflare says that they restarted the servre in the middle and perhaps that contributed, but even so it seems their analysis was wrong.] 

Internet software and services firm CloudFlare has published research findings which indicate that the worst-case scenario for Heartbleed may not be possible.

Heartbleed is a bug in OpenSSL which can be used to obtain up to a 64KB block of memory belonging to the server and whose contents are unspecified. The worst-case scenario in this week's speculation has been that an attacker could use it to obtain the server's certificate and private keys, which would enable the attacker to decrypt the communications of others with the server.

CloudFlare's research indicates that the server's private keys are highly unlikely to be at a point in memory where a Heartbleed attack would reach them. In the tests they performed on the custom version of the NGINX server they use for their own CDN and other services they were not able to obtain a single private key after extensive testing of gigabytes of data. They speculate that Apache servers may be vulnerable for a very brief period at boot time, but web servers don't boot all that often and the timing would not be under the control of the attacker.

The specific reasons why the keys are likely to be inaccessible are complicated and explained well in the CloudFlare blog, but briefly the reasons are that the certificates and Heartbleed data are both stored on the heap, which grows up in memory, and the certificates are loaded early in the server startup. Heartbleed requests are likely to come in after this point and load in memory above the keys and certificates.

If it is true that private keys are not vulnerable, at least as a practical matter, then some of the worst of the implications for Heartbleed are no longer in force. The main one is the need for sites to revoke old certificates and reissue new ones. This is a process which is moving very slowly (see new Netcraft report), and the Public Key Infrastructure is not designed to handle a mass revoke and reissue, an event which would impose a significant performance burden on the Internet.

CloudFlare is careful not to claim that their findings are final or that they prove that keys are inaccessible. In order to further the research they have created a "CloudFlare Challenge" site running a vulnerable web server and ask the public to attack it and try to steal the keys.

Hat tip to Bruce Schneier.