1) CloudFlare rocks. They’re a great organization and they continue to do great things.
2) I suspected that this would be the case, given the very reasons provided (that certificate data is loaded into memory early on, and therefore unlikely to be found in memory space following the heartbeat packet) but I’ve seen other assertions (one in particular is found on heartbleed.com) where the authors claim to have stolen private key data. From heartbleed.com:
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
While I previously suspected that these claims were only being made under optimal (and unlikely-in-the-real-world) conditions for the hacking team, I didn’t have much in the way of evidence beyond my understanding of these systems (which I was all-too-ready to toss out in favor of testimony from perceived experts). Now, however, I seriously suspect they’re blowing smoke. As my previous blog posts on the subject indicate, I have thought this bug to be overplayed in the sense of exploitation by run-of-the-mill criminals, but not so much in the sense of exploitation by resource-heavy government-backed operations. This thought is based on the seemingly-underplayed difficulty involved in obtaining useful data from those little memory space blocks left vulnerable by this exploit. And I would expect the difficulty to grow with larger systems featuring huge amounts of memory space to scour for that tiny amount of valuable information (in terms of the private key, that is).
We’ll see if anyone manages to steal the private key data from CloudFlare’s test site; another great idea from that group. I hope no one succeeds, or that success is only met after long, arduous attempts or encounters with unlikely serendipitous conditions. I hope this not only for the sake of public security, but also my confidence in my understanding of information technology systems. =)