Hackers Successfully Use Heartbleed to Access Private Security Keys
Heartbleed is a security vulnerability in the open source web encryption software OpenSSL that allows hackers to retrieve small amounts of a web server's active memory. The active memory could contain valuable information such as personal data, password and credit card details and more.
It was discovered early last week and has affected sites such as Yahoo, Tumblr, Pinterest, Google and more, if you have not changed your passwords at these sites, do it now.
A few days ago, content distribution network Cloudfare stated that Heartbleed may not be as bad as feared as it believed that it would be difficult, if not impossible, for hackers to use the vulnerability to steal a website's private security keys.
A website's private security keys are so important as hackers could use them to impersonate as the site. Additionally, hackers can also use these keys to access user data to the website even if it has been patched to fix the Heartbleed vulnerability. The only way to fix this is for the affected website to update its security certificate and obtain new private security keys.
To be extra sure, Cloudfare launched "The Heartbleed Challenge" and invited everyone and anyone to try and steal the private security keys of a server. In just nine hours, software engineer Fedor Indutny and Ilkka Mattila succeeded in obtaining the security keys. This was followed by two others: Rubin Xu, a PhD student in the Security group of Cambridge University, as well as security researcher Ben Murphy.
As a result, Cloudfare has recommended that all affected parties revoke and reissue their private keys. “Our recommendation based on this finding is that everyone reissue and revoke their private keys,” Cloudflare wrote in an update today. “CloudFlare has accelerated this effort on behalf of the customers whose SSL keys we manage.”
This finding is troubling, because it means that the fix is not as easy as patching the OpenSSL vulnerability and have everyone change their passwords. And as we have mentioned earlier, this confirms that unless websites come clean and state that they have been affected and have done the necessary steps required to rectify it, there is little users can do to protect themselves other than to change their passwords at other websites that have been confirmed to be rid of the Heartbleed vulnerability.
Source: Ars Technica