Update on the Heartbleed OpenSSL Vulnerability

CloudFlare-powered websites are secure from the OpenSSL Heartbleed vulnerability.

We fixed the flaw on Monday March 31, 2014 for all CloudFlare customers, with public notification on Monday April 7, 2014, after the researchers' public announcement.

Heartbleed (CVE-2014-0160) is a flaw in OpenSSL, encryption software used by the vast majority of websites to protect sensitive information. This vulnerability in OpenSSL allows an attacker to reveal up to 64KB of memory to a connected client or server. This flaw could expose sensitive data such as passwords or usernames - even when you thought it was encrypted.

No impact on CloudFlare service. Our team has conducted a comprehensive security review to ensure our customers were not impacted. One concern is that an attacker had access to the exploit before March 31 since the flaw was present since December 2011. We’ve seen no evidence of this, but we’re proceeding as if it is a possibility.

Private key data. Our security and cryptographic team has been testing the possibility that private SSL key data may have been retrieved. We have been unable to replicate a situation where private SSL key data would leak. We have set up a challenge to see if others can exploit the bug. See more information on our blog post from April 11 2014.

New certificates for everyone. (Updated April 12, 2014 1450 UTC)

Two security researchers have successfully solved the Heartbleed challenge, proving that private SSL keys can be stolen by exploiting this vulnerability.

As previously mentioned, out of an abundance of caution, we began the process of reissuing and revoking the keys CloudFlare manages on behalf of our customers. To ensure that we didn’t overburden the certificate authority resources given the scale at which CloudFlare operates, we staged this process. We expect the process to be complete by early next week [see note below] and will update our Enterprise, Business and Pro customers when your new certificates are active.

(Updated April 16, 2014 -- All reissuing and revocation was completed for all CloudFlare-issued customer SSL certificate as of 19:07:57 UTC on Wednesday April 16, 2014.)

General recommendations for safe web hygiene

There are some precautions you can take to protect yourself from the Heartbleed bug.

1. Get custom certificates reissued. If you’re using CloudFlare custom certificates, have your certificate authority reissue you a new certificate. After it is installed and confirmed working, revoke all previous certificates.

2. Upgrade OpenSSL on your server. While CloudFlare is protecting your server from receiving Heartbleed attacks, you should still upgrade to the latest version of OpenSSL as soon as possible. Get version 1.0.1g here:


If you can’t upgrade immediately, you can recompile OpenSSL with


3. Change passwords. Even with these fixes, we recommend that you change your password for CloudFlare and any other online services you may use. You should also consider enabling 2-factor authentication, which will help protect your account even if your password is compromised.

Want to learn more about Heartbleed?

Here are blog posts written by CloudFlare about Heartbleed.








Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.