The popular off-site storage hosting service CloudFlare recently posted a challenge to any and all comers who thought they could pull private keys off an nginx server running a still-vulnerable version of the OpenSSL framework thanks to the Heartbleed bug.
In just a few short hours after the server in question went live, a software engineer named Fedor Indutny was able to pull unencrypted, plaintext usernames and passwords off the test dummy by sending a whopping 2.5 million requests over the course of the day.
About 30 minutes after Indutny was announced the victor, another security researcher from NCSC-FI Illkka Mattila confirmed he was able to achieve the same feat, albeit with far fewer requests topping out at just over 100,000 in total.
Dan Kaminsky, who was responsible for originally finding and publicizing the bug, weighed in on his blog about the role that system administrators should have on the tails of this digital disaster:
“My advice is pretty exclusively for sysadmins and CISOs, and is something akin to “Patch immediately, particularly the systems exposed to the outside world, and don’t just worry about HTTP. Find anything moving SSL, particularly your SSL VPNs, prioritizing on open inbound, any TCP port. Cycle your certs if you have them, you’re going to lose them, you may have already, we don’t know. But patch, even if there’s self signed certs, this is a generic Information Leakage in all sorts of apps. If there is no patch and probably won’t ever be, look at putting a TLS proxy in front of the endpoint. Pretty sure stunnel4 can do this for you.”
By the time CloudFlare was able to post the results of the challenge, two more contestants (netsec scientist Ben Murphy and a PhD student from Cambridge Rubin Xu), came forward out of the fray to announce they had also been successful in exploiting the network and stealing the credentials contained within.
All in all the proof of concept went as planned, and although these cracks were only made with the help of a formal announcement and an openly available honeypot, it goes to show how swiftly and easily the usernames and passwords of unsuspecting users could be swiped from any websites that have yet to update/revoke their current OpenSSL certificates.