So... The Heartbleed Challenge has been completed April 2014
So now, chaos begins. If you own a certificate, you not only have to change it, but you also have to revoke it. I wonder how many will change, and how many will revoke.
You can check that he indeed did it by doing this:
here why it works:
Putting that mapping in /etc/hosts lets your machine skip DNS lookup for that hostname, and just use his IP for that domain name.
Then, your browser checks the received certificate against the authenticated TLS connection, and sees that all is well, allowing you to connect without a warning.
Since the browser does not warn of a certificate mismatch, he must have a valid certificate for 'cloudflarechallenge.com'. QED.
The Cloudflare team reviewing the attack: