OpenSSL leaks server-Keys / The Heartbleed Bug

Lukas Tribus luky-37 at
Sat Apr 12 11:14:41 UTC 2014


> Thanks for the link. On a quick read it seems their conclusion is that
> while it is *extremely* unlikely that your private key(s) was/were
> stolen using nginx, you should still re-key and revoke. While
> comforting, not really of any great practical help.

They updated the post, their initial analysis was wrong.

Also see:

> Nice that CloudFlare (and no doubt others) received significant advance
> warning while the rest of us were left vulnerable. Just sayin...

They had no choice. They couldn't notify a lot of people about this, it
would have been leaked to exploit kits and black hats before OpenSSL
provided the bugfix. That would have been a lot worse.




More information about the nginx mailing list