Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed?

OpenSSL, a widely-used open source library, revealed a major bug known as "heartbleed" on April 11, 2014. The vulnerability allows an attacker to send a specially crafted packet to a vulnerable server running an unpatched version of OpenSSL and retrieve up to 64kB of the server's working memory. There was initial concern that this could expose private SSL keys, making sites vulnerable to impersonation. However, after extensive testing by CloudFlare engineers, it appears that while Heartbleed can reveal sensitive data from HTTP and TLS requests, extracting private SSL keys is extremely hard or possibly impossible on most NGINX servers. Despite this, as a precautionary measure, CloudFlare has begun the process of reissuing and revoking potentially affected certificates.