Security vs the community: you’re doing it right!

So the Heartbleed vulnerability was disclosed on the 7th April as has been extensively discussed on our blog and pretty much all around the Internet.

I’m pretty sure every sysadmin was into their elbows with placing support calls, patching and rebooting stuff, contacting security people and deciding what to do with services that could not yet be patched. And so did the folks at couldflare.com.

They did their job: patched their services and informed their customers and community in general in the following post:
https://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed.

Two important things drew my attention on this post. They patched their services before the issue was made public and more importantly they suggested that it was not possible to exploit Heartbleed to capture SSL private keys.

This claim was worded carefully with good reason in my view, because there was no evidence that it was impossible.

“… after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys.”

But it sparked something important – a challenge for the security researchers many of whom probably react a bit like Marty McFly when called “chicken” by Biff. Except in this case it was a more like “that’s impossible!” — challenge accepted!

Cloudflare have setup an nginx web server with a vulnerable version of openssl exposed to the Internet and challenged anyone to retrieve the private SSL certificate/key by exploiting the heartbleed vulnerability.
Anyone who submitted the correct key along with a description on how they had done it would have solved the challenge.

And sure enough, someone cracked it rather quickly:
http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge

— to the geniuses who solved the challenge, congratulations, very well done indeed!!

Here’s a very interesting writeup on it:
http://gist.github.com/epixoip/10570627

Plenty of fake private keys being “uploaded” by people with some sort of sense of humour.

This is for me the perfect example of the benefits of openness and full disclosure working towards improving the security of well known software and enriching the knowledge of the security community …
as opposed to obscurity and short-sighted techniques such as blocking access to/from the Heartbleed test page.

Disclaimer: We have nothing against or for cloudflare, this is just praise on how they dealt with the issue. Now if only they would stop using certificates with tens of DNS names including some with wildcards… “or are you a chicken?”