Heartbleed Bug: How a JavaScript Coder Handled the CloudFlare Challenge

The Heartbleed bug is rare to have made it into mainstream fame. While laypeople mostly need to know that it's time to change their passwords, coders ought to give Heartbleed more attention. At a minimum, the Heartbleed bug is a strong warning to not get sloppy with code. At a maximum, Heartbleed has the potential to force the mother of all redesigns in how the internet does security.

What is the Heartbleed Bug?

Heartbleed opens up the vaults of a server's encrypted data. The always-wonderful xkcd explains how (CC License): 


For a while it was unclear if it was really so easy or even possible to reveal encrypted code with Heartbleed. The security service CloudFare put out an open challenge to hack their own system using the Heartbleed bug after their own team failed to do so.

Nine hours later, a JavaScript programmer named Fedor Indutny did just that, and it only took him three hours of actual work. Indutny's concluding note in his blog post on how he did it contains both good news and bad:

"Note that it [Heartbleed] won't produce any result immediately, it took me 3 hours and a certain amount of luck to obtain the key in a CloudFlare's challenge."

So, it takes some time and a little luck, but ultimately, the power of the Heartbleed bug is confirmed. It can, in fact, expose the private information behind almost any website. (And yes, you need to change a lot of passwords.)

What Heartbleed means for the coder

If you hadn't learned this lesson already, let Heartbleed teach you: untested code is dangerous code. Code tests may have revealed the sort of overflow weaknesses exploited by Heartbleed. Hack Reactor curriculum emphasizes code testing and pair programming to minimize costly errors.

But to some, Heartbleed revealed deep systemic issues that can only be solved by careful scrutiny of the internet's dominant security paradigm and the languages used to code it.

A discussion on Hacker News sparked a healthy debate on whether it is even possible to write secure code in C.

To one programmer (who provides a good explanation of how internet security currently works), Heartbleed provides the impetus for a long overdue revamp of web security. If he's right, the history of the internet might one day be divided into before and after Heartbleed.

Regardless, the Heartbleed bug has launched a deep dive into the current tools of coding and whether we should continue to use them going forward.

Read More: Empathy for the Machine - Or How to Improve as a Programmer and a Human