Heartbleed is a vulnerability in some implementations of OpenSSL.
The vulnerability, which is more formally known as CVE-2014-0160, allows an attacker to read up to 64 kilobytes of memory per attack on any connected client or server. Heartbleed got its name because it is a flaw in OpenSSL's implementation of the Heartbeat Extension for the TLS and DTLS protocols (RFC 6520).
The vulnerability, which is caused by poorly-written code, was discovered on the same day by Google and Codenomicon security researchers. The researchers quickly realized that an attacker could exploit the bug to expose encrypted content, usernames, passwords, and private keys for X.509 certificates. Because OpenSSL is used by approximately 66% of all active websites on the Internet, many experts have called Heartbleed one of the worst security bugs in the history of the Internet.
Heartbleed vulnerabilities exist in all versions of OpenSSL released between March 2012 and April 2014, at which time the software defect was corrected and OpenSSL version 1.0.1g was released. To lessen the potential negative effects of Heartbleed, OpenSSL.org recommends that enterprises upgrade to the most recent version of OpenSSL and reissue X.509 certificates with new keys.
All Internet users have been advised to change the passwords they use for Web sites.
Continue Reading About Heartbleed
- Because Heartbleed affects a wide range of products from Apache Web servers to various Linux implementations and even Android devices, virtually every organization is affected.
Dig Deeper on SSL and TLS VPN Security
The Heartbleed bug dates back to December 2011. Why did it take researchers so long to find it?
5 ResponsesJoin the Discussion