The site that was one of the first to raise the alarm about the Heartbleed OpenSSL security bug was also among the first to get overconfident about how dangerous it could be, and get stung for it. On April 11, CloudFlare, Inc. -- one of the sites who got the news about Heartbleed early so it could fix its own code before the flaw became public knowledge -- announced that its coders had tried for two weeks to use the flaw to extract a private key from their own server, with no success. Other researchers had been able to pull usernames and passwords, browser cookies, site-administrator logins, and any other data that had recently been read into a vulnerable server's memory, but no one had been able to get a server's X.509 private encryption key -- the secret part of the public/private key encryption model on which most encryption of messages depend on the Internet.
"After extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data," CloudFlare researcher Nick Sullivan wrote in an April 11 blog asking the Internet to have a go at the same problem -- and at a CloudFlare server with the Heartbleed flaw. "If it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible."
It took less than three hours for Moscow-based Node.js programmer Fedor Indutny to extract the private key, using an @node.js script, which he used to send 2.5 million queries in the hope one would come back with the key.
It took the second winner, Ilkka Mattila, at NCSC-FI, nine hours and 100,000 requests. There were two more winners by the end of Saturday, April 12. By the end of the day, anyone clicking on the URL for Heartbleed Challenge, which CloudFlare put up to host the project, got a response saying the server's X.509 certificate had been revoked and its identity could no longer be confirmed.
CloudFlare pulled the certificate itself, according to a follow-up blog from Sullivan naming the winners. He explained that CloudFlare pulled the certificate as part of its own remediation effort, which was extended to include revoking and reissuing the certificates for its own sites and those of its customers. CloudFlare executives had hoped to avoid the effort and cost of replacing the certificates, as well as inevitable errors from the inconsistent, often convoluted process of not only replacing old certificates with new, but actively revoking the old certificates and making the revocation stick.