Hide yo kids, hide yo passwords…
A CDN (Cloudflare) issued a challenge earlier this week for all comers to prove that the SSL bug is more than just theoretical by putting up a test server for folks to hack. Well, as of last night, several people have actually done so:
Below is what we thought as of 12:27pm UTC. To verify our belief we crowd sourced the investigation. It turns out we were wrong. While it takes effort, it is possible to extract private SSL keys. The challenge was solved by Software Engineer Fedor Indutny and Ilkka Mattila at NCSC-FI roughly 9 hours after the challenge was first published. Fedor sent 2.5 million requests over the course of the day and Ilkka sent around 100K requests. Our recommendation based on this finding is that everyone reissue and revoke their private keys. CloudFlare has accelerated this effort on behalf of the customers whose SSL keys we manage. You can read more here.
If you were uncertain before about whether you should really change your passwords, this is all the proof you need to go change your passwords NOW.