Private Crypto Keys Are Accessible to Heartbleed Hackers, New Data Shows
The results are a strong indication that merely updating servers to a version of OpenSSL that’s not vulnerable to Heartbleed isn’t enough. Because Heartbleed exploits don’t by default show up in server logs, there’s no way for sites that were vulnerable to rule out the possibility the private certificate key was plucked out of memory by hackers. Anyone possessing the private key can use it to host an impostor site that is virtually impossible for most end users to detect. Anyone visiting the bogus site would see the same https prefix and padlock icon accompanying the site’s authentic server.
The demonstration that it’s possible to extract private SSL certificates means that out of an abundance of caution, administrators of sites that used vulnerable versions of OpenSSL should revoke and replace old certificates with new ones as soon as possible. Given the huge number of sites affected, the revelation could create problems.
“The bad news is that [discovery] changes our recommendation from: reissue and revoke as a medium priority to reissue and revoke as a high priority,” Matt Prince, CEO of CloudFlare wrote in an e-mail to Ars. “We’ve accelerated our own reissuance and revocation process.”