What seemed like good news has quickly turned bad, if not downright terrifying. Saturday’s disclosure by Web security firm CloudFlare that at least one worst-case scenario related to the Heartbleed vulnerability might be impossible has been proven wrong by independent researchers in less than a day. Two independent tests have proven CloudFlare’s initial findings wrong, which means that certain nasty possibilities involving the bug are indeed possible. The firm had determined that using the Heartbleed vulnerability to steal private server keys appeared impossible, which looked to be the first good news since the bug was revealed earlier this week. CloudFlare had set up a public challenge seeking outside validation of the results of its own testing. The challenge lasted until late Friday afternoon Pacific Time. The first to pull out an SSL private key, according to CloudFlare, was Fedor Indutny, a Russian security researcher.