/plushcap/analysis/cloudflare/searching-for-the-prime-suspect-how-heartbleed-leaked-private-keys

Searching for The Prime Suspect: How Heartbleed Leaked Private Keys

What's this blog post about?

In April 2014, John Graham-Cumming revealed that Heartbleed could leak private SSL keys through its messages. The Heartbleed Challenge demonstrated this vulnerability within hours of launching. Most people who obtained the challenge server's private SSL key did so by searching for prime numbers in Heartbleed message results. OpenSSL was initially believed to cleanse memory of primes, but further investigation showed that it left copies of these numbers throughout its memory space. This made them vulnerable to Heartbleed attacks. To address this issue, patches were developed and submitted to the OpenSSL team, including one that cleanses memory before freeing it and another that prevents caching of Montgomery parameters. A more radical solution is not storing private keys within OpenSSL at all, which CloudFlare has been testing.

Company
Cloudflare

Date published
April 27, 2014

Author(s)
John Graham-Cumming

Word count
1790

Language
English

Hacker News points
None found.


By Matt Makai. 2021-2024.