Internet Security

Danger Confirmed: Heartbleed Really Does Open Up Crypto Keys to Hackers

Ryan Dube 14-04-2014

News from Cloudflare on Friday indicates that the debate is over regarding whether the new OpenSSL Heartbleed vulnerability could be utilized to obtain private encryption keys from vulnerable servers and websites. Cloudflare confirmed that third-party, independent testing revealed this is in fact true. Private encryption keys are at risk.


MakeUseOf previously reported the OpenSSL bug Massive Bug in OpenSSL Puts Much of Internet At Risk If you're one of those people who've always believed that open source cryptography is the most secure way to communicate online, you're in for a bit of a surprise. Read More last week, and indicated at that time that whether or not encryption keys were vulnerable was still in question, because Adam Langley, a Google security expert, could not confirm that as being the case.

Cloudflare originally issued a “Heartbleed Challenge” on Friday, setting up a nginx server with the vulnerable installation of OpenSSL in place, and challenged the hacker community to try and obtain the server’s private encryption key. Online hackers jumped to meet the challenge, and two individuals succeeded as of Friday, and several more “successes” followed. Each successful attempt to extract private encryption keys through only the Heartbleed vulnerability adds to the growing body of evidence that the impact of Hearbleed could be worse than originally suspected.


The first submission came on the same day the challenge was issued, by a Software Engineer by the name of Fedor Indutny. Fedor succeeded after pounding the server with 2.5 million requests.

The second submission came from Ilkka Mattila at the National Cyber Security Centre at Helsinki, who only needed about a hundred thousand requests to obtain the encryption keys.


After the first two challenge winners were announced, Cloudflare updated its blog on Saturday with two more confirmed winners – Rubin Xu, a PhD student at Cambridge University, and Ben Murphy, a Security Researcher. Both individuals proved that they were able to pull the private encryption key off the server, and Cloudflare confirmed that all individuals who successfully overcame the challenge did so using nothing more than only the Heartbleed exploit.

The dangers posed by a hacker obtaining the encryption key on a server is widespread. But should you be worried?

As Christian recently pointed out, many media sources are hyping up the threat posed Heartbleed – What Can You Do To Stay Safe? Read More by the vulnerability, so it can be difficult to gauge the real danger.

What you can do: Find out if the online services you utilize are vulnerable (Christian provided several resources at the link above). If they are, avoid using that service until you hear that the servers have been patched. Don’t run in to change your passwords, because you’re only providing more transmitted data for hackers to decrypt and obtain your data. Lay low, monitor the status of the servers, and when they’ve been patched, go in and immediately change your passwords.


Source: Ars Technica | Image credit: Silhouette of a Hacker by GlibStock at Shutterstock

Related topics: Encryption, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Warren B
    April 17, 2014 at 3:15 am

    If you want, Android has a program by Lookout called Heartbleed Security Scanner that will test your Android phone for the bug. It won't fix the problem, but it is sure nice to know if it exists on your phone in the first place.

  2. Caroline W
    April 15, 2014 at 12:35 am

    I just heard about Heartbleed through an email IFTTT sent me, besides that I never knew it existed: The point is, that even myself who is above avg in tech stuff didn't know, what about the millions out there that don't read tech sites and mags. It's a bloody scary prospect.

    Luckily, Last Pass - password manager - alerted me to the sites that had been patched and thus change my p/w's and to wait until the others catch up with their security.

    From the article it sounds like this was a 'deliberate exercise' to see if it could be hacked. So was it sh*t heads doing it or legit hackers to prove something??

    • Ryan D
      April 15, 2014 at 2:25 am

      Hi Caroline - I agree. That's the scariest part in my mind, the many people out there that are completely clueless about what all this means. They won't bother changing their passwords. The only luck one can hope for is that no one was able to exploit this vulnerability before it became public and people started to apply patches.

      To answer your question, this particular exercise was sort of like "white hat" hackers just trying to show that the vulnerability does allow hackers to access the encryption keys. This is only to prove that people need to be aware of the dangers involved and to take the necessary actions. Those actions are mostly for the server administrators, but for all of us - it's just to make sure to change passwords after those services have patched their systems. Beyond that, there's not much more anyone can do but wait and hope for the best.

  3. Mike B.
    April 14, 2014 at 7:17 pm

    So after reading this article, how does one go about changing their MakeUseOf login password beyond doing a password reset and being emailed a 'temporary' password?

    • Vc N
      April 14, 2014 at 9:21 pm

      This is a good question. I recall there being a profile page at one point but it just sends you to your liked and shared history.

    • Ryan D
      April 15, 2014 at 2:22 am

      Hey Mike - forwarded this question over to our tech dept...I do see what you mean, for readers there doesn't currently appear to be a settings or profile page to set your own password.