david wong

Hey ! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

The Heartbleed Challenge April 2014

Cloudflare's engineers have set up a server vulnerable to Heartbleed, if you find the secret SSL keys and publish your solution you'll get 10,000$. The challenge is here and there's a blog post here.

an attacker can get up to 64kB of the server’s working memory. This is the result of a classic implementation bug known as a Buffer over-read

Apparently it is not known if it is possible or not to find those keys. If it appears to be possible the results would be catastrophic as every single website that has used OpenSSL would have to revoke and ask for a new certificate. And as Cloudflare says:

the certificate revocation process is far from perfect and was never built for revocation at mass scale.

So it would then be very easy for any server to pretend they're someone else.

A heartbeat is a message that is sent to the server just so the server can send it back. This lets a client know that the server is still connected and listening. The heartbleed bug was a mistake in the implementation of the response to a heartbeat message.

This is the code in question:

p = &s->s3->rrec.data[0]


hbtype = *p++;
n2s(p, payload); 
pl = p;


buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;


memcpy(bp, pl, payload);
Well done! You've reached the end of my post. Now you can leave me a comment :)