Staying ahead of OpenSSL vulnerabilities

On April 7, 2014, a vulnerability in OpenSSL 1.0.1 was announced, allowing attackers to reveal up to 64kB of memory to connected clients or servers (CVE-2014-0160). CloudFlare fixed this issue before it went public and all sites using their SSL service were automatically protected. OpenSSL is the core cryptographic library used by CloudFlare for SSL/TLS connections, with a large deployment on the internet. They encourage others running servers that use OpenSSL to upgrade to version 1.0.1g or recompile with the OPENSSL_NO_HEARTBEATS flag enabled for protection against this vulnerability. This bug fix exemplifies responsible disclosure, where stakeholders are given a chance to fix issues before public disclosure, helping keep the internet safe.