The Hidden Costs of Heartbleed

CloudFlare recently reissued and revoked all of its customers' SSL certificates due to the Heartbleed vulnerability. The decision was made after considering the costs associated with certificate revocation, which can impose significant bandwidth burdens on both website visitors and Certificate Authorities (CAs). When most browsers visit HTTPS websites, they use either Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL) to check if a site's certificate has been revoked. OCSP imposes more backend lookups but less bandwidth cost, while CRL generates fewer requests but can become large and bandwidth-intensive. After reissuing all SSL certificates, CloudFlare saw a spike in global CRL activity, with Globalsign's CRL growing from 22KB to approximately 4.7MB. This generated around 40Gbps of net new traffic across the Internet and would have added $400,000 USD to Globalsign's monthly bandwidth bill if they were using AWS’s infrastructure, totaling at least $952,992.40/month. The costs associated with certificate revocation can be significant, and CAs may not always have the resources in place to handle increased load.