The Heartbleed vulnerability required any servers running vulnerable code to revoke and reissue replacement SSL certificates. Normally this happens, well, almost never.
The process of revoking SSL certificates requires updates to the CRL database. “CRL” = Certificate Revocation Lists. This is a list of all the SSL certificates that have been revoked, which web browsers reference to confirm if a certificate is still valid or not.
Matthew Prince, writing on CloudFlare’s blog on The Hard Costs of Heartbleed shares a bit of the “hidden” impact of this sudden surge in the CRL size:
Globalsign, who is CloudFlare’s primary CA partner, saw their CRL grow to approximately 4.7MB in size from approximately 22KB on Monday. The activity of browsers downloading the Globalsign CRL generated around 40Gbps of net new traffic across the Internet.
Globalsign was able to defer much of this new traffic, of course, to CloudFlare’s CDN.