Heartbleed may not leak private SSL keys after all: After this week’s massive Heartbleed bug, one of the biggest concerns was that the bug might leak a website’s private SSL keys, the key to the green lock that secures data sent to users. It’s especially dangerous because, if an attacker did access the keys, they could be used even after the server was patched, allowing attacks months or even years in the future.
“IF IT IS POSSIBLE, IT IS AT A MINIMUM VERY HARD.”
But today, the content distribution network CloudFlare has announced Heartbleed may not allow access to those private keys after all. In two weeks of testing, the company has been unable to successfully access private keys with Heartbleed, suggesting the attack may not be possible at all. “If it is possible, it is at a minimum very hard,” researcher Nick Sullivan writes. “And we have reason to believe… that it may in fact be impossible.” If true, it makes Heartbleed much less dangerous than many had feared, offering a saving grace for compromised sites. “Heartbleed still is extremely dangerous,” says CEO Matthew Prince, “but some of the worst fears about it having been used by organizations like the NSA to hoover up everyone’s private SSL keys look pretty unlikely to us based on this testing.”