Heartbleed

Overview

The Heartbleed bug is a severe software vulnerability in the OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

A close-up view of a computer screen showing lines of code, with a focus on a section that contains a bug or error.

Discovery and Impact

Heartbleed was discovered by a team of researchers from Codenomicon, a Finnish cybersecurity company, and Neel Mehta, a security researcher at Google's security team, known as Google Zero. The bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Technical Details

Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160. The bug is in the OpenSSL's implementation of the TLS/DTLS heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

Mitigation and Response

In response to the vulnerability, OpenSSL software was patched, and websites, email servers, and other online services were updated to use the patched version. Users were encouraged to change their passwords on all online services, especially those containing sensitive personal information.

A screenshot of OpenSSL code, highlighting the section where the Heartbleed bug was found.

Aftermath

The Heartbleed bug had a significant impact on the Internet and highlighted the reliance of many online services on OpenSSL. It led to a greater focus on the security of open-source software and the importance of maintaining and properly funding such projects.