Subscribe to receive notifications of new posts:

Certificate Revocation and Heartbleed

2014-04-12

1 min read

As you may have noticed, the CloudFlare Heartbleed Challenge has been solved. The private key for the site cloudflarechallenge.com has been obtained by several authorized attackers via the Heartbleed exploit.

Any person who obtained the private key will be able to impersonate cloudflarechallenge.com, as Fedor Indutny demonstrated when proving he had the private key.

We have decided to revoke the certificate, but leave the site active so people can test their browsers. As we mentioned in a previous blog post, revocation is not a foolproof process. Each browser behaves differently when it encounters an expired certificate. If you are still able to visit the challenge site, you might have to change your browser settings.

Browser Behavior

Internet Explorer and Safari give warnings, but allow the user to bypass them.

Safari warning

Safari's warning

IE warning

IE's warning

Firefox fully denies access to sites using a revoked certificate.

Firefox warning

Firefox's warning

Chrome allows the site to load with no warning. This is because online revocation checking is disabled by default. Instead, Chrome uses a proprietary method called CRLSets which relies on a pre-compiled list of revoked certificates. Scott Helme describes how to enable online verification in the Chrome advanced settings:

Chrome revocation setting

It is more important than ever to check certificates to see if they have been revoked. According to Netcraft that certificate revocation has gone up sharply since the Heartbleed vulnerability was announced.

Netcraft statistics

We expect this trend to continue as more websites evaluate the risk that their private keys were stolen though Heartbleed. If your site was vulnerable to Heartbleed, we encourage you to talk to your CA to revoke your certificate an rekey.

I will be giving a webinar about this topic next week with updates. You can register for that here.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
HTTPSReliabilitySSLCommunityVulnerabilitiesSecurity

Follow on X

Nick Sullivan|@grittygrease
Cloudflare|@cloudflare

Related posts

October 09, 2024 1:00 PM

Improving platform resilience at Cloudflare through automation

We realized that we need a way to automatically heal our platform from an operations perspective, and designed and built a workflow orchestration platform to provide these self-healing capabilities across our global network. We explore how this has helped us to reduce the impact on our customers due to operational issues, and the rich variety of similar problems it has empowered us to solve....

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...

October 06, 2024 11:00 PM

Enhance your website's security with Cloudflare’s free security.txt generator

Introducing Cloudflare’s free security.txt generator, empowering all users to easily create and manage their security.txt files. This feature enhances vulnerability disclosure processes, aligns with industry standards, and is integrated into the dashboard for seamless access. Strengthen your website's security today!...