Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified. Tl;dr? Change your passwords, but wait until affected services announce that they've not only fixed OpenSSL, but also changed their (potentially compromised) security certificates.
Just cracked @CloudFlare 's challenge: https://t.co/8ZPSxyKF4D . I wonder when they'll update the page.
- Fedor Indutny (@indutny) April 11, 2014
Looks like @indutny got the challenge key! (Which is both exciting and terrifying.) Haven't confirmed used #heartbleed. Updates soon!
- Matthew Prince (@eastdakota) April 12, 2014
Private key has been successfully extracted from an nginx server using Heartbleed by @indutny: https://t.co/iIrwwSVpco Worst case scenario.
- John Resig (@jeresig) April 12, 2014 Filed under: Internet
Source: Cloudflare Challenge, Fedor Indutny (Twitter), Matthew Prince (Twitter)
0 comments:
Post a Comment