Update, Apr. 12: Barely a day after the challenge went up, Cloudflare now says that two people have independently used Heartbleed to steal the dummy private key. This suggests that what security researchers fear -- that attackers could spoof the identity of a Web site by stealing its certificates -- is possible, though not without a great deal of effort.
Most of us have spent the last few days trying not to fall victim to the Heartbleed bug — changing passwords, checking routers, making sure we're protected, and so on. But one company is actively inviting hackers to try to steal a secret key from a server that contains the vulnerability.
How can this possibly be a good idea?
Well, if the challenge works, it could help security researchers better understand Heartbleed and the danger it represents.
Cloudflare, the Internet infrastructure company behind the hacking challenge, says that if somebody can prove that stealing that security key is possible, it would have tremendous implications for the Web's smooth performance. So the company set up a dummy server with the Heartbleed vulnerability and is encouraging people to use it to break in.
When you visit a secure Web site with your browser, it performs a check to determine if the site is who it says it is. That check depends on something called a security certificate. If the certificate passes the test, then the browser concludes that the site is safe.
When the browser actually performs the check, it matches the certificate against a list of known security keys that are no longer valid. Why "no longer valid," you ask? Well, imagine how many thousands if not millions of certificates would have to be checked on a list of currently valid keys. That would take forever. So the browser checks only for security keys that are invalid, or, in industry parlance, "revoked." (Other certificate protocols work differently.)
Suppose an attacker found a way to steal a security certificate with Heartbleed and masquerade as someone else. Overnight, that would mean that any company that used OpenSSL and relied on these security keys would need to address the bug, then revoke the certificates and issue new ones. Unfortunately, you'd wind up with the same problem above: You'd have so many invalid certificates to run through that it would take forever, said Cloudflare's chief executive, Matthew Prince.
"The certificate authority infrastructure was never built to do a mass revocation of this many certificates," said Prince. "And because of the way the infrastructure is built, if you did do a mass revocation of millions of certificates it would significantly slow down the performance of the Internet itself, which is potentially very, very bad."
While browser makers could eventually design around the problem, it would be a huge headache for a long time, Prince added.
This is why Cloudflare's challenge is so important. The company's own tests suggest it's really hard to steal a certificate and impersonate someone. But it's impossible to be 100 percent sure; you can never really prove that something won't happen. So throwing more manpower at the problem will help tell us just how hard it is to steal a key.
Cloudflare is now tracking "thousands" of people plugging away at the challenge. So far, nobody's solved it. Let's hope it stays that way.