Heartbleed
What is Heartbleed?
Heartbleed was a vulnerability in some implementations of OpenSSL, an open source cryptographic library. It was publicly announced by researchers on April 7, 2014 and patched the same month.
The vulnerability, formally known as CVE-2014-0160, enabled attackers to read up to 64 kilobytes of memory per attack on any connected client or server. Attackers could send multiple attacks and read multiple batches of 64 KB data.
Heartbleed got its name because it is a flaw in OpenSSL's implementation of the Heartbeat Extension for the TLS and DTLS protocols (RFC 6520).
What caused Heartbleed?
The bug was caused by poorly written code. It was discovered on the same day by Google and Codenomicon security researchers, who quickly realized that an attacker could exploit the bug to expose encrypted content, usernames, passwords and private keys for X.509 certificates.
At the time, OpenSSL was used by approximately 66% of all active websites on the internet. Experts called Heartbleed one of the worst security bugs in the history of the internet.
Is Heartbleed still a problem?
Older versions of OpenSSL may still be vulnerable to the bug. Heartbleed vulnerabilities exist in all versions of OpenSSL released between March 2012 and April 2014. In April 2014, the software defect was corrected when OpenSSL version 1.0.1g was released. OpenSSL.org recommended enterprises upgrade to the most recent version of OpenSSL and reissue X.509 certificates with new keys.
In 2017, search engine Shodan released a report that found almost 200,000 services connected to the internet remained unpatched and were still vulnerable to Heartbleed.