CloudFlare-powered websites are secure from the OpenSSL Heartbleed vulnerability.
Heartbleed (CVE-2014-0160) is a flaw in OpenSSL, encryption software used by the vast majority of websites to protect sensitive information. This vulnerability in OpenSSL allows an attacker to reveal up to 64KB of memory to a connected client or server. This flaw could expose sensitive data such as passwords or usernames - even when you thought it was encrypted.
No impact on CloudFlare service. Our team has conducted a comprehensive security review to ensure our customers were not impacted. One concern is that an attacker had access to the exploit before March 31 since the flaw was present since December 2011. We’ve seen no evidence of this, but we’re proceeding as if it is a possibility.
Private key data. Our security and cryptographic team has been testing the possibility that private SSL key data may have been retrieved. We have been unable to replicate a situation where private SSL key data would leak. We have set up a challenge to see if others can exploit the bug. See more information on our blog post from April 11 2014.
New certificates for everyone. (Updated April 12, 2014 1450 UTC)
As previously mentioned, out of an abundance of caution, we began the process of reissuing and revoking the keys CloudFlare manages on behalf of our customers. To ensure that we didn’t overburden the certificate authority resources given the scale at which CloudFlare operates, we staged this process. We expect the process to be complete by early next week [see note below] and will update our Enterprise, Business and Pro customers when your new certificates are active.
(Updated April 16, 2014 -- All reissuing and revocation was completed for all CloudFlare-issued customer SSL certificate as of 19:07:57 UTC on Wednesday April 16, 2014.)
General recommendations for safe web hygiene
There are some precautions you can take to protect yourself from the Heartbleed bug.
1. Get custom certificates reissued. If you’re using CloudFlare custom certificates, have your certificate authority reissue you a new certificate. After it is installed and confirmed working, revoke all previous certificates.
2. Upgrade OpenSSL on your server. While CloudFlare is protecting your server from receiving Heartbleed attacks, you should still upgrade to the latest version of OpenSSL as soon as possible. Get version 1.0.1g here:
If you can’t upgrade immediately, you can recompile OpenSSL with
3. Change passwords. Even with these fixes, we recommend that you change your password for CloudFlare and any other online services you may use. You should also consider enabling 2-factor authentication, which will help protect your account even if your password is compromised.
Want to learn more about Heartbleed?
Here are blog posts written by CloudFlare about Heartbleed.
- April 7, 2014 - Staying ahead of OpenSSL vulnerabilities
- April 11, 2014 - Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed?
- April 11, 2014 - The Results of the CloudFlare Challenge
- April 12, 2014 - Certificate Revocation and Heartbleed
- April 17, 2014 - The Heartbleed Aftermath: all CloudFlare certificates revoked and reissued
- April 17, 2014 - The Hidden Costs of Heartbleed
- April 28, 2014 - Searching for The Prime Suspect: How Heartbleed Leaked Private Keys