Heartbleed Bug Can Expose Private Server Key, Says Reports

Heartbleed has already become one of the most massive bugs to disrupt the entire web ecosystem, if there ever was one. And while fixes are currently being sought out to bypass this problem, it seems like more new information are being revealed related to the bug.

According to reports, four different researchers working separately with the bug have demonstrated that a server's private encryption key can be acquired using the Heartbleed bug. However, it is yet to be confirmed if the issue can lead to a potential attack.

The new findings related to the bug have arrived via a challenge created by CloudFlare, a San Francisco-based company that runs a security and redundancy service for website operators.

As part of the challenge, CloudFlare asked the security community if the flaw in the OpenSSL cryptographic library, which was made public last week, could be used to obtain the private key used to create an encrypted channel between users and websites, known as SSL/TLS (Secure Sockets Layer/Transport Security Layer).

"The private key is part of a security certificate that verifies a client computer isn't connecting with a fake website purporting to be a legitimate one. Browsers indicate a secure connection with a padlock and show a warning if the certificate is invalid," PC World wrote.

"Security experts thought it might be possible that the private key could be divulged by exploiting the Heartbleed flaw, which may have affected two-thirds of the Internet and set off a mad scramble to apply a patch that fixes it."

As of now, how each of the researchers accomplished in obtaining the private key hasn't been revealed. "It is at the discretion of the researchers to share the specifics of the techniques used," Nick Sullivan of CloudFlare wrote.