Contributor(s): Sharon Shea

Heartbleed is a vulnerability in some implementations of OpenSSL.

The vulnerability, which is more formally known as CVE-2014-0160, allows an attacker to read up to 64 kilobytes of memory per attack on any connected client or server. Heartbleed got its name because it is a flaw in OpenSSL's implementation of the Heartbeat Extension for the TLS and DTLS protocols (RFC 6520). 

The vulnerability, which is caused by poorly-written code, was discovered on the same day by Google and Codenomicon security researchers. The researchers quickly realized that an attacker could exploit the bug to expose encrypted content, usernames, passwords, and private keys for X.509 certificates. Because OpenSSL is used by approximately 66% of all active websites on the Internet, many experts have called Heartbleed one of the worst security bugs in the history of the Internet.

Heartbleed vulnerabilities exist in all versions of OpenSSL released between March 2012 and April 2014, at which time the software defect was corrected and OpenSSL version 1.0.1g was released. To lessen the potential negative effects of Heartbleed, recommends that enterprises upgrade to the most recent version of OpenSSL and reissue X.509 certificates with new keys.  

All Internet users have been advised to change the passwords they use for Web sites.

See also: memory scraping malware, bug bounty program, crowdsource testing

This was last updated in April 2014

Continue Reading About Heartbleed

Dig Deeper on SSL and TLS VPN Security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The Heartbleed bug dates back to December 2011. Why did it take researchers so long to find it?
A former colleague would answer this question with one word: SNOWDEN. He believes the bad code was known (or heaven forbid, even paid for) by government agencies who relied on the bug for intelligence. His epic rant last night on "the incredible coincidence of two separate groups of researchers simultaneously finding the bug" almost had me reaching for my tin foil hat.
Sounds like your friend is fun at parties. :) While recent revelations make conspiracy theories like that easy to believe, I'd say it's probably more likely that the open source code is just really complex and it's not easy to find these sorts of vulnerabilities. Who knows what else has been lurking for years?
Well, there sure are a lot of coincidences surrounding Heartbleed that would make a good novel. The fact that the bad code went live right before midnight on New Year's Eve is just a bonus! (Remember that movie with Sean Connery and Catherine Zeta Jones where they planned a theft in Kuala Lumpur for the final seconds of the millennium countdown?)

Seriously, though, it's kind of amazing that Dr. Robin Seggelmann has come forward to acknowledge that he is the one who made the coding error and that it was an honest mistake, having nothing to do with surveillance.
Sure, but isn't that just what someone involved in surveillance would say? 
Great points Ben and Margaret. I'll also add that, surveillance theories aside, as much as researchers hold themselves on pedestals, they're not all knowing. Smart? Sure. Way smarter than me. But, like doctors that so many in society like to believe have all the answers, they're human. They have oversights and make mistakes like the rest of us.

I'd venture to guess that such a flaw might not be readily apparent to the human eye or even source code analyzers. But who am I to speculate. I'm still suspect of the whole Heartbleed thing - surely some government agency (higher power) is looking after us and has a bigger plan for the greater good.