Here’s what appears to be the first glimmer of good news about the Heartbleed security vulnerability: The very worst of all the worst scenarios may not be possible.
After a series of extensive tests, researchers at CloudFlare, a firm that helps companies secure their sites from automated attacks, have found that it is very difficult, maybe impossible, to use the vulnerability to steal private certificate keys from servers.
Security experts have worried that private keys taken from vulnerable servers could be used to create false servers that impersonate legitimate ones. The keys are used to generate certificates that prove that a server is legitimate, the way a person uses a passport or drivers license. Imagine signing into your bank’s site only to find later on that it was not your bank’s site at all, and now someone has your user name and password.
It turns out that using Heartbleed to obtain private keys is very difficult. CloudFlare disclosed its findings in a blog post this morning. Its security architect Nick Sullivan says the company has conducted several tests on vulnerable servers and found that getting copies of the private keys used to create server certificates — which Web servers use to prove their identity — is a lot harder than previously thought. Sullivan stopped just short of calling it impossible.
“After extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible.”
The discovery is important because, if confirmed by further testing and research, it would erase at least one of the worst-case scenarios that has been speculated about since the Heartbleed vulnerability was publicly disclosed earlier this week: That attackers could impersonate vulnerable sites, setting up fake servers intended to lure users into handing over their user names and passwords.
CloudFlare has set up a server designed to encourage further testing to verify its findings. It’s called the CloudFlare Heartbleed Challenge. Anyone who thinks they can do it has been invited to steal the private keys from a server that has been intentionally left vulnerable to Heartbleed.
As Sullivan put it: “The more eyes we get on the problem, the more confident we will be that, in spite of a number of other ways the Heartbleed vulnerability was extremely bad, we may have gotten lucky and been spared the worst of the potential consequences.”
Update as of 8:05 PM PDT: CloudFlare’s challenge has been defeated. Read more about that here.