University of Southern California

Server certificates and Heartbleed

Posted on by Robert

Cloudflare, a large web-hosting company, has a very detailed article on how server certificates are not (in the real world) extractable using the Heartbleed bug:

http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

They set up a test server and challenged anybody to obtain the private key. One person succeeded by exploiting Heartbleed immediately after the test server was rebooted.

Still, because of the way memory is allocated and accessed, even with Apache, their conclusion is that the probability of a successful extraction is very low.

Comments are closed.