Counterterrorism Blog. In Homeland Security - News and Analysis of Critical Issues in H. Entropic Memes Blog. UNREDACTED. IMINT & Analysis. Danger Room. Threat Level. GroupIntel. On Security. This is an update to my earlier post. Cloudflare is reporting that it's very difficult, if not practically impossible, to steal SSL private keys with this attack. Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data.
Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible.
The reasoning is complicated, and I suggest people read the post. This xkcd comic is a very good explanation of how the vulnerability works. EDITED TO ADD (4/12): We have one example of someone successfully retrieving an SSL private key using Heartbleed. The statement also says: Another point.