Heartbleed is as bad as they thought

Heartbleed has been in the news quite a bit recently. If you haven't heard about it, there is a bug in OpenSSL's heartbeed code for TLS. This means any server running a publicly accessible service secured by OpenSSL 1.0.1 to 1.0.1f (inclusive) was vulnerable to leaking memory; an attacker who knew about the bug could request 64KB chunks of the server's memory. This could leak anything from the private keys on the server to user data.

Since the announcement of the bug there had been some speculation as to what memory would actually be leaked. There were a very few researchers who speculated that sensitive data might not actually be leaked, primarily because of the way servers allocate dynamic memory. CloudFlare ran some internal testing and had trouble confirming that certain sensitive information could be leaked by Heartbleed, specifically the private keys to the server. So, they put up a vulnerable server and challenged the Internet community to break into it. Two people independently snagged the private keys from the server using only the Heartbleed bug within the first day.

Since that time, the certificate authority that issued the server's certificate has revoked the certificate. You can no longer visit the website because of this, presumably CloudFlare will get a new certificate after the server has been patched, for the time being the server is an excellent resource for security researchers. I set one of my servers to exploit their test server and have successfully pulled a memory dump of their private key. It would take a bit more work to get this raw data into the widely recognized PEM format, but I only cared about the proof of concept since the competition has already been "won".

The winners of the competition along with the memory dump I was able to retrieve serve as proof that the Heartbleed problem is as bad as originally predicted. If you ran a server with the affected versions of OpenSSL (1.0.1 to 1.0.1f inclusive) then you need to assume all your private data has been compromised. You need to revoke any certificates, change passwords, and assume everything else has been leaked.

Guidance for End Users

I have advised everyone I know to stay away from any website remotely related to money until that site makes a public statement about Heartbleed. This includes merchant sites where you might buy stuff, banking or other financial sites, and any website service with subscriptions. Those websites should either make a statement that they were not affected by Heartbleed (about 1/3 of websites were not affected at all), or that they were affected and have since patched their installation and taken appropriate steps to re-secure their site (see above).