Heartbleed in a few bullet points
April 10th, 2014 // 1:56 am @ Erik Westermann
Heartbleed is a vulnerability in implementation of OpenSSL. OpenSSL runs on Linux and about 2/3 of the world’s websites run on Linux-based operating systems.Here’s a brief explanation of the problem:
- While there’s a secure connection, the browser can request a heartbeat message to make sure that it can still contact the server.
- Heartbeat messages are limited to a certain size – the browser can request an oversized heartbeat reply
- The server responds to the oversized reply
- The server’s response contains the expected heartbeat plus extra information to fill in the extra data for the oversized reply
- The extra data in oversized reply is data from the server’s memory
- This process can continue over and over until the attacker has as much memory as they like
- This process will not cause any suspicion because the attacker and web server are exchanging data like any normal user would use a website
- The bug is (currently) limited servers that use OpenSSL
- Over 600,000,000 websites could be affected by this problem
- Web servers running Microsoft Windows are not currently affected
- Microsoft Windows powers about 300,000,000 websites
- Number of web servers based on Netcraft’s Web Server Survey
Category : Blog