Heartache and Heartbleed

Two weeks after the Heartbleed bug was announced, CloudFlare patched the Heartbleed bug, created a challenge to prove the bug could be used to find private keys (uncovering a second bug in OpenSSL) and turned its entire network into a giant honeypot. This session will discuss the specific steps taken to prevent early disclosure, creating and scaling the first public vulnerability test, how the CloudFlare Heartbleed challenge showed that you can reveal private SSL keys (how a second bug in OpenSSL made this possible) the incredible impact of revoking over 100,000 certificates in a single day, and the results of our honeypot revealing the proportion of attack traffic versus research traffic.

Press mentions:

NYTimes
http://www.nytimes.com/2014/04/12/us/us-denies-knowledge-of-heartbleed-bug-on-the-web.html

Bloomberg
https://www.bloomberg.com/news/articles/2014-04-14/heartbleed-hackers-steal-encryption-keys-in-threat-test

Le Presse
http://www.lemonde.fr/pixels/article/2014/12/30/faille-de-securite-heartbleed-le-pire-scenario-a-ete-evite_4547487_4408996.html

Wired
https://www.wired.com/2014/04/nsa-heartbleed/

Engadget
https://www.engadget.com/2014/04/11/heartbleed-openssl-cloudflare-challenge/

SecurityWeek
http://www.securityweek.com/confirmed-heartbleed-exposes-web-servers-private-ssl-keys

ThreatPost
https://threatpost.com/stealing-private-ssl-keys-using-heartbleed-difficult-not-impossible/105413/

For
31c3
Date
Dec 28, 2014
Type
Talk
URL
www.youtube.com/watch?v=hfD6SgLWewQ