News from Cloudflare on Friday indicates that the debate is over regarding whether the new OpenSSL Heartbleed vulnerability could be utilized to obtain private encryption keys from vulnerable servers and websites. Cloudflare confirmed that third-party, independent testing revealed this is in fact true. Private encryption keys are at risk.
MakeUseOf previously reported the OpenSSL bug last week, and indicated at that time that whether or not encryption keys were vulnerable was still in question, because Adam Langley, a Google security expert, could not confirm that as being the case.
Cloudflare originally issued a “Heartbleed Challenge” on Friday, setting up a nginx server with the vulnerable installation of OpenSSL in place, and challenged the hacker community to try and obtain the server’s private encryption key. Online hackers jumped to meet the challenge, and two individuals succeeded as of Friday, and several more “successes” followed. Each successful attempt to extract private encryption keys through only the Heartbleed vulnerability adds to the growing body of evidence that the impact of Hearbleed could be worse than originally suspected.
The first submission came on the same day the challenge was issued, by a Software Engineer by the name of Fedor Indutny. Fedor succeeded after pounding the server with 2.5 million requests.
The second submission came from Ilkka Mattila at the National Cyber Security Centre at Helsinki, who only needed about a hundred thousand requests to obtain the encryption keys.
After the first two challenge winners were announced, Cloudflare updated its blog on Saturday with two more confirmed winners – Rubin Xu, a PhD student at Cambridge University, and Ben Murphy, a Security Researcher. Both individuals proved that they were able to pull the private encryption key off the server, and Cloudflare confirmed that all individuals who successfully overcame the challenge did so using nothing more than only the Heartbleed exploit.
The dangers posed by a hacker obtaining the encryption key on a server is widespread. But should you be worried?
As Christian recently pointed out, many media sources are hyping up the threat posed by the vulnerability, so it can be difficult to gauge the real danger.
What you can do: Find out if the online services you utilize are vulnerable (Christian provided several resources at the link above). If they are, avoid using that service until you hear that the servers have been patched. Don’t run in to change your passwords, because you’re only providing more transmitted data for hackers to decrypt and obtain your data. Lay low, monitor the status of the servers, and when they’ve been patched, go in and immediately change your passwords.