Heartbleed exploit, patch, both released

http://s2.djyimg.com/n3/eet-content/uploads/2014/04/heartbleed1-676x450.jpg

As the Heartbleed fallout continues, the good news is that code to fix the problem in OpenSSL has been released. The bad news is that exploit code is also available.

Let's start with the latter, released by a chap who took up Cloudlare's challenge to coders in the hope someone, somewhere, would be able to use Heartbleed to extract a private SSL key from an undefended server it erected.

As we noted over the weekend, the challenge was met. The code for the 7th-fastest “solution” to the challenge is now available here. The author apologises for the inelegance of the Python code he spent a day working on. Cloudflare says the winner took just nine hours to crack the server and run off with the SSL certificate.