Josh Ong, reporting for The Next Web:

Fedor Indutny, a core member of the node.js team, has proved that it is in fact possible for an attacker to sniff out the private SSL keys from a server left exposed by the Heartbleed bug. The proof came in response to a challenge from CloudFlare that called on the security community to grab the keys from a demo server.

If there was ever a doubt in your mind, this proves that the Heartbleed bug is the real deal.

(Via Daring Fireball.)