Slashdot Mirror

← Back to Stories (view on slashdot.org)

Private Keys Stolen Within Hours From Heartbleed OpenSSL Site

Posted by samzenpus on from the that-didn't-take-long dept.

Billly Gates (198444) writes "It was reported when heartbleed was discovered that only passwords would be at risk and private keys were still safe. Not anymore. Cloudfare launched the heartbleed challenge on a new server with the openSSL vulnerability and offered a prize to whoever could gain the private keys. Within hours several researchers and a hacker got in and got the private signing keys. Expect many forged certificates and other login attempts to banks and other popular websites in the coming weeks unless the browser makers and CA's revoke all the old keys and certificates."

10 of 151 comments (clear)

  1. https is dead by lougarou · · Score: 5, Funny

    For all practical purposes, https is dead. There is no way browsers will carry around the hundreds of thousands of possibly-stolen-so-unsafe certificates fingerprints (to consider these tainted/revoked). The only way forward is probably to move away to an incompatible protocol. And if possible, cure some of the X509 wrong ways.

  2. Re:Even root CA certificates may be at risk. by gweihir · · Score: 4, Funny

    That is BS. Nobody sane installs a root certificate on productive network-connected hardware, unless they are terminally stupid. Oh, wait...

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. And the cry goes up from ten thousand admins, by SuricouRaven · · Score: 4, Funny

    Fuck.

    (Except here in the UK, we are more creative with our profanity.)

    1. Re:And the cry goes up from ten thousand admins, by John+Bokma · · Score: 3, Funny

      By Jove!

      --

      Perl Programmer for hire
    2. Re:And the cry goes up from ten thousand admins, by Virtucon · · Score: 3, Funny

      Bollocks!

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
    3. Re:And the cry goes up from ten thousand admins, by Teun · · Score: 4, Funny

      I say!

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  4. Re:I can't use cloudflare, connection is insecure by lgw · · Score: 5, Funny

    Internet Explorer for the win (my head asploded):

    There is a problem with this websiteâ(TM)s security certificate.

    This organization's certificate has been revoked.

    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

    We recommend that you close this webpage and do not continue to this website.

    Click here to close this webpage.

    I feel like I've fallen into Bizarro world, where IE is the safe browser and IIS the safe server. Maybe I should grow a goatee?

    --
    Socialism: a lie told by totalitarians and believed by fools.
  5. Re:The CA should not revoke the certificates, by Anonymous Coward · · Score: 5, Funny

    Pff now you're telling me the CA has the authority to tell me which certificates are bad??

    Oh piss on that!

  6. Re:Oh, man, what a mess by Anonymous Coward · · Score: 0, Funny

    I believe the key point you made there is that anyone running IIS was never vulnerable. In a way, I consider this poetic justice for all those people who were too cheap to invest in a secure commercial product and tried to pinch pennies on OpenSSL. Karma's a bitch.

  7. Re:The CA should not revoke the certificates, by dcollins117 · · Score: 4, Funny

    Pff now you're telling me the CA has the authority to tell me which certificates are bad??

    If that is an issue, there is nothing stopping you, or anyone, from becoming their own Certifcate Authority. I've done this for my own sites, since I am at least 97% sure I am who I claim to be.