For the Heartbleed Doubters

I promise that this is not going to become the All Heartbleed All The Time blog, but in my defence, this is kind of a big deal. A vendor called CloudFlare decided to perform a practical test of the exploitability of Heartbleed by setting up a vulnerable site and challenging people to steal the private key. I think these two quotes encapsulate the story perfectly: Here’s the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. …

Posted on

PSA: Heartbleed OpenSSL Vulnerability

Over dinner last night one of my friends was talking about an OpenSSL vulnerability that had just been disclosed; this morning I took a closer look and decided that I want to boost the signal a bit The Heartbleed OpenSSL vulnerability affects recent releases of OpenSSL. Affected systems can be made to reveal secret keys; this is arguably one of the worst ways in which an encryption library can fail, and if you are publishing anything that is secured with SSL (e. …

Posted on