SSL security keys can be accessed by Heartbleed bug

Heartbleed bug
Heartbleed bug

Programmers have shown that the Heartbleed bug could be used to exploit websites that used a version OpenSSL.

Security experts will usually take a worst case scenario to determine procedures moving forward. At the time of the original announcement last week, there was no public example of using the bug to access private keys.

CloudFlare issued a challenge to the security community the see if the Heartbleed vulnerability could be used to access private SSL keys. These keys would allow access to encrypted data including passwords and more.

While this would not prove that systems were accessed, it does show the possibility was there. The issue is that there are a high number of sites and systems that used OpenSSL, and the exploit existed for two years.

Within 9 hours of announcing the challenge, software engineer Fedor Indutny solved the puzzle.

Tweet from Fedor Indutny @indutny
Tweet from Fedor Indutny @indutny


“This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability.” – Cloudflare

Unfortunately, websites are not able to detect if their sites were compromised.

Security experts have said to change your passwords after an affected site has updated their software and generated a new private key. If you are the owner of a site, you should make sure a new key was generated as the old one may be compromised.

Tweet from Fedor Indutny @indutny
Tweet from Fedor Indutny @indutny

Related story: Online security flaw exposes millions of passwords

blog comments powered by Disqus