The Heartbleed bug: what is it and how to protect your site?

Elenitsa Staykova Marketing, CloudFlare Nick Sullivan Systems Engineer, CloudFlare Ben Murphy Software Developer, Fonix

1

Our Program Today

Elenitsa Staykova – Introduction and Overview Nick Sullivan – What is Heartbleed? How to protect your site? Ben Murphy – Q&A on the CloudFlare Heartbleed challenge

2

CloudFlare At a Glance

Security ü  DDoS mitigation ü  WAF ü  SSL ü  Basic security

Performance ü  Static content caching ü  Dynamic content acceleration ü  Front end optimization ü  Rocket Loader, Mirage, Polish

More ü  DNS ü  Availability ü  Load balancing ü  Client intelligence ü  Reporting and insights

3

Our Global Network

4

The Heartbleed bug

²  What is the Heartbleed bug? ²  Open source software OpenSSL ²  Cryptographic portion of library OK ²  Information disclosure vulnerability

5

The Heartbleed bug

²  Sensitive information at risk ²  Usernames ²  Passwords ²  Private SSL keys

²  Private keys are keys to the kingdom ²  Sites may be vulnerable to impersonation ²  Heartbleed bug – a really big deal

6

The CloudFlare Heartbleed Challenge

²  Can you get private SSL keys using Heartbleed?

²  Crowd sourced investigation to find out

²  CloudFlareChallenge.com/Heartbleed

²  The world rose up to the challenge

²  Extracting private SSL keys using Heartbleed is

possible

7

Protecting your site – what do we recommend

²  http://istheinternetfixedyet.com/ Tracks sites still vulnerable to Heartbleed:

²  If site vulnerable, don’t access until updated PWs and certificates

²  If site not vulnerable, change PW

²  Website End users ²  Website Owners ²  Website Owners using CloudFlare

8

Q&A with Ben Murphy

²  Ben Murphy – one of top 4 winners who successfully solved the Heartbleed challenge

²  Solving the challenge ²  Used techniques ²  State of the Internet

²  Questions from the Audience

9

The End April 2014

10