Josh Ong, reporting for The Next Web:
Fedor Indutny, a core member of the node.js team, has proved that it is in fact possible for an attacker to sniff out the private SSL keys from a server left exposed by the Heartbleed bug. The proof came in response to a challenge from CloudFlare that called on the security community to grab the keys from a demo server.
If there was ever a doubt in your mind, this proves that the Heartbleed bug is the real deal.
(Via Daring Fireball.)