Everything you need to know about the Heartbleed Bug

14 Cards

CURATED BY Timothy B. Lee

2014-06-19 09:57:57 -0400

  1. What is the Heartbleed Bug?
  2. What should you do to protect yourself from the Heartbleed Bug?
  3. Which websites are affected?
  4. What is SSL?
  5. What's OpenSSL?
  6. How does the heartbleed attack work?
  7. Who discovered the vulnerability?
  8. How did the Heartbleed bug get added to OpenSSL?
  9. What information can you get with a Heartbleed attack?
  10. Who might take advantage of the Heartbleed Bug?
  11. Have there been any successful attacks using the Heartbleed bug?
  12. What is being done to prevent future problems like Heartbleed?
  13. You didn't answer my question!
  14. How have these cards changed?
  1. Card 1 of 14

    What is the Heartbleed Bug?

  2. Card 2 of 14

    What should you do to protect yourself from the Heartbleed Bug?

  3. Card 3 of 14

    Which websites are affected?

  4. Card 4 of 14

    What is SSL?

  5. Card 5 of 14

    What's OpenSSL?

  6. Card 6 of 14

    How does the heartbleed attack work?

    The SSL standard includes a "heartbeat" option, which provides a way for a computer at one end of the SSL connection to double-check that there's still someone at the other end of the line. This feature is useful because some internet routers will drop a connection if it's idle for too long. In a nutshell, the heartbeat protocol works like this:

    Heartbleed_good

    The heartbeat message has three parts: a request for acknowledgement, a short, randomly-chosen message (in this case, "banana"), and the number of characters in that message. The server is simply supposed to acknowledge having received the request and parrot back the message.

    The Heartbleed attack takes advantage of the fact that the server can be too trusting. When someone tells it that the message has 6 characters, the server automatically sends back 6 characters in response. A malicious user can take take advantage of the server's gullibility:

    Heartbleed_bad

    Obviously, the word "giraffe" isn't 100 characters long. But the server doesn't bother to check before sending back its response, so it sends back 100 characters. Specifically, it sends back the 7-character word "giraffe" followed by whichever 93 characters happen to be stored after the word "giraffe" in the server's memory. Computers often store information in a haphazard order in an effort to pack them into its memory as tightly as possible, so there's no telling what information might be returned. In this case, the bit of memory after the word "giraffe" contained sensitive personal information belonging to user John Smith.

    In the real Heartbleed attack, the attacker doesn't just ask for 100 characters. The attacker can ask for around 64,000 characters of plain text. And it doesn't just ask once, it can send malicious heartbeat messages over and over again, allowing the attacker to get back different fragments of the server's memory each time. In the process, it can gain a wealth of data that was never intended to be available to the public.

    The fix for this problem is easy: the server just needs to be less trusting. Rather than blindly sending back as much data as is requested, the server needs to check that it's not being asked to send back more characters than it received in the first place. That's exactly what OpenSSL's fix for the Heartbleed Bug does.

  7. Card 7 of 14

    Who discovered the vulnerability?

  8. Card 8 of 14

    How did the Heartbleed bug get added to OpenSSL?

  9. Card 9 of 14

    What information can you get with a Heartbleed attack?

  10. Card 10 of 14

    Who might take advantage of the Heartbleed Bug?

  11. Card 11 of 14

    Have there been any successful attacks using the Heartbleed bug?

  12. Card 12 of 14

    What is being done to prevent future problems like Heartbleed?

  13. Card 13 of 14

    You didn't answer my question!

  14. Card 14 of 14

    How have these cards changed?

X
Log In Sign Up

forgot?
Log In Sign Up

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.
Spinner.vc97ec6e

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.

tracking_pixel_10934_tracker