Heartbleed in a few bullet points

Heartbleed in a few bullet points

April 10th, 2014 // 1:56 am @

heartbleed-logo

Heartbleed is a vulnerability in implementation of OpenSSL. OpenSSL runs on Linux and about 2/3 of the world’s websites run on Linux-based operating systems.Here’s a brief explanation of the problem:

  • While there’s a secure connection, the browser can request a heartbeat message to make sure that it can still contact the server.
  • Heartbeat messages are limited to a certain size – the browser can request an oversized heartbeat reply
  • The server responds to the oversized reply
  • The server’s response contains the expected heartbeat plus extra information to fill in the extra data for the oversized reply
  • The extra data in oversized reply is data from the server’s memory
  • This process can continue over and over until the attacker has as much memory as they like
  • This process will not cause any suspicion because the attacker and web server are exchanging data like any normal user would use a website
  • The bug is (currently) limited servers that use OpenSSL
  • Over 600,000,000 websites could be affected by this problem
  • Web servers running Microsoft Windows are not currently affected
  • Microsoft Windows powers about 300,000,000 websites
  • Number of web servers based on Netcraft’s Web Server Survey

xkcd-heartbleed


Category : Blog

Comments are closed.

Latest Posts

Testimonials

"Erik excels in roles that require technical creativity and innovation. He is one of the very few people for whom technology is a way of life. Staying abreast with the latest and the greatest comes naturally for him. I found him to be very meticulous about the smallest technical details on projects while maintaining sight of the greater goal. I found him to be a great mentor to junior technical resources and very good writer."

P Kumar

-