CloudFlare did a good real-world analysis of Heartbleed: hey could get it to leak a private key. This suggests that perhaps private keys may not be in as great a danger as suggested earlier this week. I hope they’re right, and I hope other big players will perform similar tests.
h/t Eric Lloyd
Below is what we thought as of 12:27pm UTC. To verify our belief we crowd sourced the investigation. It turns out we were wrong. While it takes effort, it is possible to extract private SSL keys. The challenge was solved by Software Engineer Fedor Indutny and Ilkka Mattila at NCSC-FL roughly 9 hours after the challenge was first published. Fedor sent 2.5 million requests over the course of the day and Ilkka sent around 100K requests. Our recommendation based on this finding is that everyone reissue and revoke their private keys. “
Troed Sångberg – ouch. I’m glad they’re doing that legwork
Comments are closed.