You are on page 1of 12

4/14/2014

Heartbleed - Wikipedia, the free encyclopedia

Heartbleed
From Wikipedia, the free encyclopedia

Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension.[3] A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords.[4][5][6][7][8] The Electronic Frontier Foundation,[9] Ars Technica,[10] and Bruce Schneier[11] all deemed the Heartbleed bug "catastrophic". Forbes cybersecurity columnist Joseph Steinberg described the bug as potentially "the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet", implying that it is worse than the Israeli spyware/malware pandemic of Stuxnet and Duqu combined.[12] Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160.[13]

Logo representing Heartbleed. Finland's Codenomicon company gave Heartbleed both a name and a logo, contributing to public awareness of the issue. [1][2]

Contents
1 History 1.1 Appearance 1.2 Resolution 1.3 Possible exploitation prior to disclosure 1.4 Reported exploitation subsequent to disclosure 2 Behavior 2.1 Impact 2.2 Affected OpenSSL versions 2.2.1 Vulnerable Program and Function 2.3 Patch 2.4 Vulnerability testing services 3 Affected services 3.1 Websites and web services 3.2 Software applications 4 Reaction 5 Root causes and possible lessons 6 References 7 External links
http://en.wikipedia.org/wiki/Heartbleed 1/12

Henson apparently failed to notice a bug in Seggelmann's implementation. announced on Thursday that their products had been affected by the Heartbleed bug. published in February 2012.[25] According to Codenomicon. the free encyclopedia History Appearance The Heartbeat Extension for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols is a proposed standard specified by RFC 6520.. The date of the patch is known from Red Hat's issue tracker.D. Heartbleed. then a Ph. Dr.[21] According to Mark J. have all likely been affected by the bug.wikipedia.[23][24] This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat. student at the University of Duisburg-Essen.org/wiki/Heartbleed 2/12 .[17][18][19] Resolution On March 21. Routers. c o m( h t t p : / / h e a r t b l e e d .[20] The next chronological date available from the public evidence is the claim by performance and security company CloudFlare that they fixed the flaw on their systems on March 31. Heartbeat support was enabled by default.. Henson. which also created the bleeding heart logo. 2014 Bodo Moeller and Adam Langley of Google wrote a patch that fixed the bug. The vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.[29][30] Possible exploitation prior to disclosure http://en. In 2011. into OpenSSL's source code repository on December 31. and launched the domain H e a r t b l e e d .Wikipedia.[24] The bug was named by an engineer at the firm Codenomicon. one of OpenSSL's four core developers. Neel Mehta first reported the bug to OpenSSL. c o m )to explain the bug to the public. 2014. a Finnish cybersecurity company.[17][26] Mehta also congratulated Codenomicon. and introduced the resulting vulnerability.[22] The bug entailed a severe memory handling error in the implementation of the Transport Layer Security Heartbeat Extension. leaving your personal information at risk of being stolen by hackers.1 on March 14.[27] On April 10. Following Seggelmann's request to put the result of his work into OpenSSL. causing affected versions to be affected by default.4/14/2014 Heartbleed . Stephen N. 2012. It provides a way to test and keep alive secure communication links without the need to renegotiate the connection each time.[17] Codenomicon reports April 3 as their date of discovery of the bug and as their date of notification of NCSC-FI (formerly known as CERT-FI) for vulnerability coordination. 2014."[28] On April 12. "Cisco Systems and Juniper Networks. Neel Mehta of Google's security team reported Heartbleed on April 1. but both Google and Codenomicon discovered it independently. at least two independent researchers were able to steal private keys using this attack from an experimental server intentionally set up for that purpose by CloudFlare. 2011. firewalls and switches . Cox of OpenSSL. Robin Seggelmann.0. without going into detail.[14][15][16] his change was reviewed by Dr. two of the biggest creators of Internet equipment. implemented the Heartbeat Extension for OpenSSL.

in order to exploit it for their own purposes. "there have not been any reported attacks or malicious incidents involving this particular vulnerability confirmed". Because of this failure to do proper bounds checking.[40] When the attack was discovered. without regard to the size of actual payload in that message. the free encyclopedia Many major web sites patched or disabled the bug within days of its announcement. In addition. Based on examinations of audit logs by researchers. it has been reported that some attackers may have exploited the flaw for at least five months before discovery and announcement. As a result.[31] but it is unclear whether potential attackers were aware of it earlier and to what extent it was exploited.wikipedia. Behavior The RFC 6520 Heartbeat Extension tests TLS/DTLS secure communication links by allowing a computer at one end of a connection to send a “Heartbeat Request” message. The affected versions of OpenSSL allocate a memory buffer for the message to be returned based on the length field in the requesting Depiction of Heartbleed message.[39] Reported exploitation subsequent to disclosure Revenue Canada reported the theft of 900 taxpayer social insurance numbers through an exploit of the bug during a 6-hour period on April 8.[35] According to two insider sources speaking to Bloomberg. typically a text string.org/wiki/Heartbleed 3/12 . Vulnerable data include the server's private master key. compromising the security of the server and its users.[34] whereas the Department of Homeland Security believes that as of April 11. the oversized memory buffer returned to the requestor was likely to contain data from memory blocks that had been previously requested and freed by OpenSSL.[41] The agency said it will provide anyone affected with credit protection services at no cost. The receiving computer then must send the exact same payload back to the sender. the agency shut down its web site and extended the taxpayer filing deadline from April 30 to May 5.com.[43] Attackers in this way could receive sensitive data.[17][19] which would enable attackers to decrypt current or stored traffic via passive man-in-the-middle attack (if perfect http://en. the United States National Security Agency was aware of the flaw since shortly after its introduction. consisting of a payload.4/14/2014 Heartbleed . Such memory blocks may contain sensitive data sent by users or even the private keys used by OpenSSL. instead of reporting it. by using its own memory management routines OpenSSL bypassed mitigation measures in some operating systems that might have detected or neutralized the bug. but chose to keep it secret. along with the payload’s length as a 16-bit integer.[36][37][38] The NSA has denied this claim.[32][33] Errata Security has partially rejected this hypothesis.[42] The heartbleed bug is exploited by sending a malformed heartbeat request with a small payload and large length field to the server in order to elicit the server's response permitting attackers to read up to 64 kilobytes of server memory that was likely to have been used previously by SSL.Wikipedia. The problem was compounded by OpenSSL's decision to write its own version of the C dynamic memory allocation (malloc and free) routines. the message returned consists of the requested payload followed by whatever else happened to be in the allocated memory buffer.

The bug might also reveal unencrypted parts of users' requests and responses.8 branch are not vulnerable. the free encyclopedia forward secrecy is not used by the server and client). a remote. OpenSSL 1.4* / has been added in front of the line p l=p . which might allow attackers to hijack the identity of another user of the service.0 branch and OpenSSL 0.1f (inclusive).[44] Impact By attacking a service that uses a vulnerable version of OpenSSL. or active man-in-the-middle if perfect forward secrecy is used. For example.0. http://en. an attacker may be able to decrypt. or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL. OpenSSL 1. Version 1.c and dl_both.[45] Affected OpenSSL versions The affected versions of OpenSSL include OpenSSL 1.wikipedia.0. the test i f( 1+2+p a y l o a d+1 6>s > s 3 > r r e c .[47] Patch The bug is classified as a buffer over-read. as OpenSSL typically responds with the chunks of memory it has most recently discarded.[49] The problem can be fixed by ignoring Heartbeat Request messages that ask for more data than their payload needs. session cookies and passwords.1 through 1.0. By leveraging this information.c and the vulnerable functions are tls1_process_heartbeat() and dtls1_process_heartbeat(). including any form post data in users' requests.9.4/14/2014 Heartbleed .org/wiki/Heartbleed 4/12 .0.[46] Vulnerable Program and Function The vulnerable program source files are t1_lib. The attacker cannot control which data are returned.[48] a situation where software allows more data to be read than should be allowed. spoof.1g of OpenSSL adds some bounds checks to prevent the buffer over-read. l e n g t h )r e t u r n0 ./ *s i l e n t l yd i s c a r dp e rR F C6 5 2 0s e c .1g.0.Wikipedia. such as secret keys. unauthenticated attacker may be able to retrieve sensitive information.

all certificates linked to those possibly compromised key pairs need to be revoked and replaced.1 – OpenSSL 1. including: Heartbleed testing tool by a European IT security company[52] Heartbleed Scanner by Italian cryptologist Filippo Valsorda[53] Heartbleed Vulnerability Test by Cyberoam [54] Critical Watch Free Online Heartbleed Tester[55] Metasploit Heartbleed scanner module[56] Heartbleed Server Scanner by Rehmann[57] Lookout Mobile Security Heartbleed Detector.com [60] Official offline scanner in Python from Redhat "https://access.redhat.org/en-US/firefox/addon/foxbleed/). Sourcefire has released Snort rules to detect Heartbleed attack traffic and possible Heartbleed response traffic.a=commitdiff. an app for Android devices that determines the OpenSSL version of the device and indicates whether the vulnerable heartbeat is enabled[58] Heartbleed checker hosted by LastPass[59] Online network range scanner for Heartbleed vulnerability by Pentest-Tools.0.py).redhat.com/ssltest/) which not only looks for the Heartbleed bug. in order to regain privacy and secrecy.wikipedia.Wikipedia.0.py" (https://access.4/14/2014 Heartbleed .org (http://git. Other security tools have added support for finding this bug. Further.org/gitweb/? p=openssl. Browser extensions.0. so that the patched code can be loaded.[61] Tenable Network Security wrote a plugin for its Nessus vulnerability scanner that can scan for this fault.google. For example. and all passwords on the possibly compromised servers need to be changed.[62] Affected services The following OpenSSL versions were determined to be vulnerable: OpenSSL 1.mozilla. but can also find other SSL/TLS implementation errors. since it is not possible to know if they were compromised while the vulnerable code was in use:[51] all possibly compromised private key-public key pairs must be regenerated. Vulnerability testing services Several services were made available to test whether the Heartbleed bug was present on a given site. Qualys SSL Labs' SSL Server Test (https://www.com/labs/heartbleed/heartbleed-poc.[50] Although patching software (the OpenSSL library and any statically linked binaries) fixes the bug.2-beta OpenSSL 1.ssllabs.openssl.com/labs/heartbleed/heartbleed-poc.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic) and FoxBleed (https://addons. such as Chromebleed (https://chrome.org/wiki/Heartbleed 5/12 . all private or secret data must be replaced.openssl. running software will continue to use its in-memory OpenSSL code with the bug until each application is shut down and restarted.h=96db902).1f http://en. the free encyclopedia A complete list of changes is available at git.git.

org/wiki/Heartbleed 6/12 . FreeBSD and Fedora (including derivatives such as Red Hat Enterprise Linux. openSUSE.wikipedia. server administrators are advised to either use 1.0. [24] Websites and web services The following sites have services affected or made announcements recommending that users update passwords in response to the bug: Akamai Technologies[63] Amazon Web Services[64] Ars Technica[65] Bitbucket[66] BrandVerity[67] Freenode[68] GitHub[69] IFTTT[70] Internet Archive[71] Mojang [72] Mumsnet PeerJ[73] Prezi[74] Something Awful[75] SoundCloud[76] SourceForge[77] SparkFun[78] Stripe (company)[79] Tumblr[80][81] Wattpad Wikimedia (including Wikipedia)[82][83] Wunderlist[84] http://en. which is the case for Debian (including derivatives such as Ubuntu and Linux Mint).4/14/2014 Heartbleed .0.Wikipedia.2-beta2 (upcoming) OpenSSL 1. the free encyclopedia Unless an operating system patch for CVE-2014-0160 has been installed that doesn't change the library version.1g or to recompile OpenSSL with D O P E N S S L _ N O _ H E A R T B E A T S . thus disabling the vulnerable feature until the server software can be updated.1g To resolve the bug. The following OpenSSL versions include patches to fix the Heartbleed bug: OpenSSL 1.0. CentOS and Amazon Linux).

Seggelmann has stated that OpenSSL is not reviewed by enough people. the Tor Project issued an announcement on its blog and advised that anyone seeking "strong anonymity or privacy on the Internet" should "stay away from the Internet entirely for the next few days while things settle. due its use of forward secrecy. Stack Overflow.[89] The Canadian federal government temporarily shut online services of the Canada Revenue Agency (CRA) and several government departments over Heartbleed bug security concerns[90][91] and the federal Canadian Cyber Incident Response Centre issued a security bulletin advising system administrators about the bug.[14] Following Heartbleed's disclosure. but it recommended users change passwords that LastPass stored for vulnerable websites. 2014 revealed vulnerabilities in sites including Yahoo!.Most websites have corrected the bug and are best placed to advise what action. ^ McKenzie. and DuckDuckGo.[92] Platform maintainers like the Wikimedia Foundation advised their users to change passwords. Slate. 2014). Imgur. 2014 with a fix for "the OpenSSL library everybody is talking about". John (April 9. 2.[86] LibreOffice 4. founder and leader of the OpenBSD and OpenSSH projects.[85] LastPass Password Manager was not vulnerable.org/wiki/Heartbleed 7/12 ."[93] An analysis posted on GitHub of the top 1000 most visited websites on April 8. has criticized the OpenSSL developers for writing its own memory management routines and thereby circumventing OpenBSD C standard library exploit countermeasures.[94][95] Root causes and possible lessons Theo de Raadt.[98] References 1. "Heartbleed. 2014 with a fix for CVE-2014-0160[87] LogMeIn claimed to have "updated many products and parts of our services that rely on OpenSSL".. Patrick (April 9." They also recommended that Tor relay operators and hidden service operators revoke and generate fresh keys after patching OpenSSL.. "What Heartbleed Can Teach The OSS Community About Marketing" (http://www. if any.[97] stated that he "missed validating a variable containing a length" and denied any intention to submit a flawed implementation. the free encyclopedia Software applications IPCop 2.com/2014/04/09/what-heartbleed-can-teach-the-oss-community-about-marketing/).[82] A US Cabinet spokesman recommended that "People should take advice on changing passwords from the websites they use. 2014).[88] Reaction On the day of the announcement. The First Security Bug With A Cool Logo" http://en. ^ Biggs. but noted that Tor relays use two sets of keys and that Tor's multi-hop design minimizes the impact of exploiting a single relay.3 was released on April 10.Wikipedia.wikipedia. Robin Seggelmann.2. April 7. people need to take. 2014.1."[96][42] The author of the bug.kalzumeus.4 was released on April 8. saying "OpenSSL is not developed by a responsible team.4/14/2014 Heartbleed .

"Q. ^ "#2658: [PATCH] Add TLS/DTLS Heartbeats" (http://rt. ^ Seggelmann. Farhad (April 10.theglobeandmail. The First Security Bug With A Cool Logo" (http://techcrunch. 22. 2014). 2014). ^ "Schneier on Security: Heartbleed" (https://www. 2014).com/2014/04/11/business/security-flaw-could-reach-beyond-websites-to-digitaldevices-experts-say.com. New York Times. 2014). "Why the Web Needs Perfect Forward Secrecy More Than Ever" (https://www. 10.com/sites/josephsteinberg/2014/04/10/massive-internet-security-vulnerability-you-are-at-riskwhat-you-need-to-do/). TechCrunch. other passwords Russian roulette-style" (http://arstechnica. Ben (April 11. ^ Goodin.openssl. "Users’ Stark Reminder: As Web Grows. "Critical crypto bug exposes Yahoo Mail.html). (April 9.org/cgi-bin/cvename. Forbes. "Flaw Calls for Altering Passwords.com/hc/enus/articles/201660084-Update-on-the-Heartbleed-OpenSSL-Vulnerability).Heartbleed Vulnerability in OpenSSL" (http://kb. Quentin (April 11. "Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping" (http://arstechnica. "Heartbleed Bug" (http://heartbleed. 19. ^ a b Hagai Bar-El (April 9. Netcraft Ltd. 2014). April 11. 2014. ^ "Meet the man who created the bug that almost broke the Internet" (http://www. ^ Biggs.forbes. on Heartbleed: A Flaw Missed by the Masses" (http://bits. Paul (April 8. Dan (April 8. Heartbleed .html). ^ "CVE – CVE-2014-0160" (https://cve. (February 2012). ^ a b Grubb. Brian X. 6. Retrieved April 14.org. Retrieved April 8. 5. Experts Say" (http://www. 2014).cloudflare. OpenSSL. Globe and Mail. 12.cyberoam.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleedbug. ^ "Cyberoam Security Advisory .blogs.html). "Half a million widely trusted websites vulnerable to Heartbleed bug" (http://news. Nicole. 2014. Experts Say" (http://www. ^ "heartbeat_fix" (https://bugzilla. 17. 2014. ^ Wood.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-toeavesdropping/).google.4/14/2014 2.cgi?name=CVE-2014-0160). ^ Manjoo. ^ Mutton. Hardy. 11. New York Times. Joseph (April 10.com/openssl-heartbleed-bug).org/Ticket/Display. Ars Technica. "Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately" (http://www.html? user=guest&pass=guest&id=2658). April 11 2014.mitre.html). 20. 2014). The Sydney Morning Herald.nytimes. Ars Technica. ^ "Mark J Cox – #Heartbleed" (https://plus. Yan (April 8. ^ Steinberg. 2014. 18. 13.com/2014/04/09/qa-on-heartbleed-a-flaw-missed-by-the-masses/). ^ a b c d Codenomicon Ltd (April 8. New York Times. 4.nytimes. Retrieved April 10.netcraft. April 12. 2014). April 11. Internet Engineering Task Force (IETF).com/). 16. 15.org/wiki/Heartbleed 8/12 . RFC 6520. 14. "Massive Internet Security Vulnerability – Here's What You Need To Do" (http://www. Electronic Frontier Foundation. R.com/2014/04/10/technology/flaw-calls-for-altering-passwords-experts-say. Molly (April 10.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flawdenies-he-inserted-it-deliberately-20140410-zqta1. John (April 9. New York Times. "Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension" (https://tools.html).html).com/blog/archives/2014/04/heartbleed.smh. 2014). 23.com/2014/04/10/technology/users-stark-reminder-as-web-grows-it-grows-less-secure.nytimes. It Grows Less Secure" (http://www. 3. the free encyclopedia http://en. ^ Perlroth.redhat.com/attachment. Cve.cgi?id=883475). 2014).com/2014/04/09/heartbleed-the-first-consumer-grade-exploit/). Schneier on Security.com/+MarkJCox/posts/TmCbp3BhJma). Dan (April 8. "Heartbleed. 2014.asp? id=2909&Lang=1).org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy). ^ Goodin.ietf. Retrieved April 12.schneier.hbarel. et al. 21. 9.Wikipedia. 8. 7.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulettestyle/).eff.org/html/rfc6520). 2014).com/news/national/meet-the-man-that-created-the-bug-that-almost-broke-theinternet/article17941003/). 2014.nytimes. ^ "CloudFlare – Update on the Heartbleed OpenSSL Vulnerability" (https://support. and A.com/default. ^ Chen. 2011. "OpenSSL "Heartbleed" bug: what's at risk on the server and what is not" (http://www. 2014). 2014). "Heartbleed Flaw Could Reach to Digital Devices. ^ Zhu.wikipedia. 2014.mitre.

org 34.cnet. 2014). ^ "The Heartbleed Challenge" (https://www.cbc.com/story/tech/2014/04/11/heartbleedcisco-juniper/7589759/). ^ Troy Hunt (April 9. Retrieved April 11.gov/blog/2014/04/11/reaction%E2%80%9Cheartbleed%E2%80%9D-working-together-mitigate-cybersecurity-vulnerabilities-0).erratasec. 39.usatoday. 2014). Neel. 25.org/wiki/Heartbleed 9/12 .os.washingtonpost. Bloomberg. Engadget. CNET. 2014).html). "No. April 11. "The Heartbleed Bug Goes Even Deeper Than We Realized – Here's What You Should Do" (http://www.huffingtonpost.misc/211963).com/technology/Canada+Revenue+Agency+pushes+deadline+after+Heartbleed/973477 3/story.digitoday. 29. 2014.4/14/2014 Heartbleed . 44.html). 31.pl. ^ "Näin suomalaistutkijat löysivät vakavan vuodon internetin sydämestä . ^ a b "Re: FYA: http: heartbleed. ^ "Why is it called the 'Heartbleed Bug'?" (http://www. 2014. 2014. 43.dhs. Ars Technica. sources say" (http://business.troyhunt.com/heartbleed). 2014. Peter Eckersley.com/how-to/which-sites-have-patched-the-heartbleed-bug/). ^ "Why Heartbleed is dangerous? Exploiting CVE-2014-0160" (http://ipsec.html). Richard (April 11. Vancouver Sun. ^ "Report: NSA exploited Heartbleed for years" (http://www.gov. ^ Heartbleed bug: 900 SINs stolen from Revenue Canada (http://www. 2014.com/2014/04/everything-you-need-to-know-about. "Reaction on “Heartbleed”: Working Together to Mitigate Cybersecurity Vulnerabilities | Homeland Security" (http://www. Retrieved April 11. 2014. 26. CloudFlare. ^ "Were Intelligence Agencies Using Heartbleed in November 2013?" (https://www. 35.html). Alexix (April 11.com/2014/04/11/heartbleed-openssl-cloudflare-challenge/). ^ Mehta. ^ Kleinman.com" (http://article. 2014.wikipedia. 2014. 1999). 37. 2014).vancouversun.com/2014/04/no-we-werent-scanning-for-hearbleed.pl/ssl-tls/2014/why-heartbleeddangerous-exploiting-cve-2014-0160. 36.2609192). "Heartbleed bug: Check which sites have been patched" (http://www. Errata Security. Sean (April 9.eff. ^ "Statement on Bloomberg News story that NSA knew about the 'Heartbleed bug' flaw and regularly used it to gather critical intelligence" (http://icontherecord. Financial Post. ^ Cipriani. 27. 30. Michael. Retrieved April 14.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers. http://en. EFF. 40. ^ Graham. ^ Canada Revenue Agency pushes tax deadline to May 5 after Heartbleed bug (http://www.html). Robert (April 9. 41. The Huffington Post. Retrieved April 14. "Heartbleed vulnerability may have been exploited months before patch" (http://arstechnica. "Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible" (http://www. Dhs. CBC News. "Don't forget to patch DTLS" (https://twitter. Retrieved April 12. ^ Gallagher. 2014.com/neelmehta/status/453542518584381440).com/post/82416436703/statement-on-bloomberg-newsstory-that-nsa-knew). 2014 42. Retrieved April 10. Retrieved April 10. 2014). 2014. April 10. April 10.ca/news/business/heartbleed-bug-900sins-stolen-from-revenue-canada-1. 2014.fi/tietoturva/2014/04/10/nain-suomalaistutkijat-loysivatvakavan-vuodon-internetin-sydamesta/20145118/66?&n=2#commentsHere). Jason (April 9. ^ Riley. 28. National Security Agency. Twitter. 2014).tumblr. Gmane.bloomberg. we weren't scanning for hearbleed[sic] before April 7" (http://blog.com/2014/04/11/heartbleed-routers_n_5132306.openbsd.com/2014/04/11/nsa-exploited-heartbleed-bug-for-two-years-to-gather-intelligencesources-say/). April 13. 2014.html). the free encyclopedia 24.org/news/secadv_20140407. "Everything you need to know about the Heartbleed SSL bug" (http://www.financialpost. 2014 Some of the details are in the video linked from the page. Retrieved April 11. ^ a b c The OpenSSL Project (April 7.txt). 33. Retrieved April 11. 2014.cloudflarechallenge. Retrieved April 12.org/deeplinks/2014/04/wildheart-were-intelligence-agencies-using-heartbleed-november-2013). 38. USA Today.transl/Finnish researchers found a serious leakage of the heart of the Internet" (http://www.engadget.Wikipedia.com/security/2014/04/heartbleed-vulnerability-may-have-been-exploited-months-before-patch/). 2014. Apr 14.gmane. Retrieved April 13. ^ "NSA exploited Heartbleed bug for two years to gather intelligence. "OpenSSL Security Advisory [07 Apr 2014]" (https://www.openssl. Retrieved April 11.com/blogs/style-blog/wp/2014/04/09/whyis-it-called-the-heartbleed-bug/).org/gmane. IPSec. 2014. ^ Lawler. 2014. 32. "NSA Said to Exploit Heartbleed Bug for Intelligence for Years" (http://www. ^ Staff 7:52 am (February 22. 2014. 2014).

April 8.cyberoam. Git.org/gitweb/?p=openssl. 2014.io/Heartbleed)" by Italian cryptologist Filippo Valsorda ^ Heartbleed Vulnerability Test Tool (http://csc.org. 69. April 8. ^ "Heartbleed FAQ: Akamai Systems Patched" (https://blogs. GitHub.html). 2014. ^ Heartbleed Scanner (http://filippo. 49. 2014. Possible. 54.com/rapid7/metasploitframework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.mitre. Tenable Network Security.org. Retrieved April 11. "Tenable Facilitates Detection of OpenSSL Vulnerability Using Nessus and Nessus Perimeter Service" (http://www. 46.com. Retrieved April 10.cgi?name=CVE-2014-0160). IPSec. Retrieved April 10.html). 60. Amazon Web Services. 2014. dangerous-exploiting-cve-2014-0160. 56.akamai.rb) ^ Heartbleed Server Scanner (http://rehmann. 2014.4/14/2014 Heartbleed . 2014. ^ "Cyberoam Users Need not Bleed over Heartbleed Exploit" (http://www.com/). 67.com/blog/2014/04/09/heartbleed-detector/). 66. Haydenjames. 48. cyberoam. Ars Technica. Retrieved April 11. 2014.a=commitdiff. 2014.com. 63. Akamai Technologies. ^ "Git – openssl. 2014.html). community. Retrieved April 11.com/vulnerability-scanning/openssl-heartbleed-scanner/).au/2014/04/ifttt-says-it-is10/12 http://en. Retrieved April 10.brandverity. ^ "CWE – CWE-126: Buffer Over-read (2.spiceworks.lifehacker. 2014. ^ "IFTTT Says It Is 'No Longer Vulnerable' To Heartbleed" (http://www.io.lv/tools/hb/). April 8.6)" (http://cwe. 2014. ^ "OpenSSL Heartbleed vulnerability scanner :: Online Penetration Testing Tools | Ethical Hacking Tools" (https://pentest-tools. ^ "Security: Heartbleed vulnerability" (https://github. 2014. 47. ^ Mann.git/commitdiff" (http://git.Wikipedia.org. Retrieved April 11. 2014. 2014). 58. the free encyclopedia 45. ^ "Heartbleed OpenSSL extension testing tool. April 9.com/cyberoamsupport/webpages/webcat/20140160. ^ "Keeping Your BrandVerity Account Safe from the Heartbleed Bug" (http://blog. LastPass. Cwe... ^ "AWS Services Updated to Address OpenSSL Vulnerability" (https://aws.com/security/securitybulletins/aws-services-updated-to-address-openssl-vulnerability/). Retrieved April 11.com/freenodestaff/status/453470038704795648). 2014.com/security/2014/04/dearreaders-please-change-your-ars-account-passwords-asap/).lookout.co/projects/heartbeat) by Rehmann ^ "Heartbleed Detector: Check If Your Android OS Is Vulnerable with Our App" (https://blog.org/2014/04/heartbleedmemory-disclosure-upgrade. 51.bitbucket.org/data/definitions/126. BitBucket Blog." (https://twitter.com/blog/tenable-facilitates-detection-of-openssl-vulnerability-usingnessus-and-nessus-perimeter).cert. ^ "Spiceworks Community Discussions" (http://community.spiceworks. April 8. Pentest-tools.com. Retrieved April 11. April 9. 2014.h=96db902). ^ "VRT: Heartbleed Memory Disclosure – Upgrade OpenSSL Now!" (http://vrt-blog.lv. BrandVerity Blog. 52.openssl. 2014.cert.html).git. Retrieved April 14. Retrieved April 10.cyberoam. 2014. April 9. 2014.criticalwatch. 2014.org/wiki/Heartbleed . 64.org. 50. Heartbleed. 2014. 65. 2014. kb.mitre.criticalwatch. ^ "CVE – CVE-2014-0160" (http://cve. ^ "Twitter / freenodestaff: we've had to restart a bunch.org/vuls/id/720951).com/topic/474704-cyberoam-users-neednot-bleed-over-heartbleed-exploit? utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SpiceworksCommunity+ (Spiceworks+Community)). ^ "All Heartbleed upgrades are now complete" (http://blog. 53. ^ "Vulnerability Note VU#720951" (http://www. 70.wikipedia. 61.com/heartbleed/). 68.com/blog/cyberoam-usersneed-not-bleed-over-heartbleed-exploit/). Cve. ^ "Dear readers. Retrieved April 07.tenable.pl.openssl. 2014.io/patchedservers-remain-vulnerable-heartbleed-openssl/). 57. 2014. April 5. 2014.com/2014/04/heartbleed-faq-akamai-systemspatched.mitre. 2014. 59.org/2014/04/09/all-heartbleed-upgrades-arenow-complete/).mitre.kb. 62.com. ^ "Heartbleed checker" (https://lastpass. CVE-2014-0160" (http://possible. 55.amazon.com/2721/keepingyour-brandverity-account-safe-from-the-heartbleed-bug/).org/cgi-bin/cvename. April 8.com/blog/1818-security-heartbleed-vulnerability). Jeffrey (April 9. ^ "Patched Servers Remain Vulnerable to Heartbleed OpenSSL | Hayden James" (http://haydenjames. 2014. ^ Metasploit module (https://github. Retrieved April 11. February 18.snort.com. Lookout Mobile Security blog. April 8. Retrieved April 10.jsp)" by Cyberoam ^ "Critical Watch :: Heartbleed Tester :: CVE-2014-0160" (http://heartbleed. please change your Ars account passwords ASAP" (http://arstechnica.

org/2014/04/10/wikimedias-response-to-the-heartbleed-security-vulnerability/). 84.txt" (https://github.html). SourceForge. Retrieved April 14. Retrieved April 9.4 is released" (http://marc. here’s why" (http://blog. 75. 2014.com.com/announcement. ^ IPCop (April 8. 2014). April 8.ca/canada/securityconcerns-prompts-tax-agency-to-shut-down-website-1.txt). the free encyclopedia 82. 2014.documentfoundation. 78. 2014. Retrieved April 13. ^ "The widespread OpenSSL ‘Heartbleed’ bug is patched in PeerJ" (http://blog.com/KrisJelbring/status/453559871028613121).com/news/1455). April 9.wikimedia. 2014. April 9. April 8.wikipedia. 2014). Blog. ^ "Heartbleed: Canadian tax services back online" (http://www. 2014. 92. 72.1. ^ "ctsai" (April 10. CTV News. 2014. 2014. 2014.peerj. ^ "LogMeIn and OpenSSL" (http://blog. Greg (April 10. ^ Codey.lastpass.soundcloud.com/2014/04/lastpass-andheartbleed-bug.php?forumid=1). ^ Staff (April 8.org/2014/04/09/heartbleed-bugand-the-archive/). LogMeIn. 73.cbc.org/2014/04/10/libreoffice-4-2-3-is-now-available-for-download/). April 10.com/customer/portal/articles/1508382-sync-service-heartbleed---8th-of-april-2014). 2014. Stripe (company). LastPass. Wikimedia Foundation. Retrieved April 13. 74.3 is now available for download" (http://blog. "Heartbleed: don't rush to update passwords. Retrieved April 14. ^ "Heartbleed" (https://www. 2014. ^ "Heartbleed bug and the Archive | Internet Archive Blogs" (https://blog. 2014).somethingawful. "LastPass and the Heartbleed Bug" (http://blog.com/2014/04/09/heartbleed/). 2014. 2014. 2014. April 9.au/2014/04/ifttt-says-it-isno-longer-vulnerable-to-heartbleed/). 79. Retrieved April 10.prezi. April 9. 2014. ^ "OpenSSL Heartbleed Vulnerability" (http://www. ^ "IFTTT Says It Is 'No Longer Vulnerable' To Heartbleed" (http://www. PeerJ.archive. "LibreOffice 4.org/blog/openssl-bug-cve-2014-0160). The Guardian. Retrieved April 9.torproject. 2014.archive. Tor Project. 2014.aspx). 94. Retrieved April 13.archive. Greg (April 8. 2014). 89. 91. April 9. Retrieved 14 April 2014.ca/cnt/rsrcs/cybr-ctr/2014/al14-005-eng.org. Retrieved April 10. ^ Hern. 83.US government warns of Heartbleed bug danger" (http://www. Bbc.gc. "Security Update: We’re going to sign out everyone today.4/14/2014 70.com/products/openssl).com. CBC News. 87. 93. ^ Grossmeier. 2014).com. ^ "IMPORTANT ANNOUNCEMENTS FROM THE MAKERS OF CHILI" (http://forums. "[Wikitech-l] Fwd: Security precaution – Resetting all user sessions today" (http://lists.ctvnews. Retrieved April 11.org/wiki/Heartbleed . Retrieved April 14.sparkfun. 86. "Wikimedia's response to the "Heartbleed" security vulnerability" (https://blog. April 8. 88. Public Safety Canada. Heartbleed . 2014. ^ "Heartbleed Defeated" (http://engineering. 2014. LifeHacker. 2014. ^ "OpenSSL bug CVE-2014-0160" (https://blog.ca/news/business/heartbleed-canadian-taxservices-back-online-1. 80. 2014. 2014). ^ Kelion.lifehacker. April 7.com/post/82113034874/urgent-security-update). 76.1767727). ^ "Security concerns prompts tax agency to shut down website" (http://www. Retrieved April 9. 2014.org/web/20140412013421/http://blog. 2014. 139697815506679. SourceForge electronic mailing lists. 2014.com/musalbas/heartbleed-masstest/blob/master/top1000. April 11.com/blog/2014/04/12/heartbleet/). Twitter.logmein.documentfoundation. Retrieved April 11.info/?l=ipcop-announce&m=139697815506679).html).wunderlist.com/news/technology-26985818). Archived (http://web. 2014. 2014).tumblr. Retrieved April 14. Wikimedia Foundation. security experts warn" (http://www.com/technology/2014/apr/09/heartbleed-dont-rush-to-update-passwords-security-expertswarn). ^ "heartbleed-masstest/top1000. SparkFun. 2014.com/post/82185230692/thewidespread-openssl-heartbleed-bug-is-patched-in).net/blog/sourceforgeresponse-to-heartbleed/). 77. Retrieved April 10.com/blog/heartbleed). ^ a b Grossmeier. ^ italovignoli (April 10. "SourceForge response to Heartbleed" (https://sourceforge. 11/12 http://en. Cyber Security Bulletins. Brendan (April 9. 2014.theguardian. 2014. Leo.publicsafety. 90.org/2014/04/10/libreoffice-4-2-3-isnow-available-for-download/) from the original on April 12. Wikimedia Foundation blog. 2014). ^ "Tumblr Staff-Urgent security update" (http://staff. 85. 81. SoundCloud.2. ^ "Wunderlist & the Heartbleed OpenSSL Vulnerability" (http://support. Alex (April 9.Wikipedia. ^ "Twitter / KrisJelbring: If you logged in to any of" (https://twitter. 2014. "BBC News .org/pipermail/wikitech-l/2014-April/075801. Retrieved April 9. "IPCop 2.2608781). The Document Foundation. ^ "Heartbleed" (https://stripe. 71.bbc.wikimedia.

cnet. ^ Lia Timson (April 11. "OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts" (http://www.pcmag.slashdot. Wikipedia® is a registered trademark of the Wikimedia Foundation. Retrieved April 10. you agree to the Terms of Use and Privacy Policy. the free encyclopedia 94.. CNET. Text is available under the Creative Commons Attribution-ShareAlike License. It-beta. 97.wikipedia. "Which sites have patched the Heartbleed bug?" (http://www.com/hacking/322494-heartbleed-fallout-changeall-your-passwords) Heartbleed bug : Frequently Asked questions (http://www.4/14/2014 Heartbleed . ^ Cipriani.com. Retrieved April 9.au/it-pro/security-it/who-is-robin-seggelmann-and-did-his-heartbleed-break-the-internet20140411-zqtjj. Retrieved April 11. a non-profit organization. 2014). 98.txt" (https://github. 96.uk/Print/2014/04/11/openssl_heartbleed_robin_seggelmann/).com/heartbleed-bug-frequently-askedquestions) Heartbleed Infographic showing sites affected and those secured (https://twitter.wikipedia. "Who is Robin Seggelmann and did his Heartbleed break the internet?" (http://www.com/scottdylan/status/455109361246162944) 'Heartbleed' Bug: The Most Serious Bug in Recent Years (http://www.com/musalbas/heartbleed-masstest/blob/master/top1000. 95. External links Summary and Q&A about the bug. 2014).org/wiki/Heartbleed 12/12 .co. ^ Williams.org.com/91425662) PCMAG – Change Your Passwords (http://securitywatch. 2014. ^ "heartbleed-masstest/top1000. (http://heartbleed. Chris (April 11. By using this site.html). 2014). 2014. http://en.com/2014/04/09/heartbleed-bugposes-major-threat-to-user-data/) Retrieved from "http://en.org/w/index. Inc. The Register.smh. April 8. ^ "Theo De Raadt's Small Rant On OpenSSL – Slashdot" (http://it-beta.theregister. The Sydney Morning Herald. 2014.slashdot.hnkcnews. Jason (April 10. GitHub.com/howto/which-sites-have-patched-the-heartbleed-bug/).com/) – by Codenomicon Ltd The Heartbleed Hit List: The Passwords You Need to Change Right Now (http://mashable. Video (08:40) – Explanation of the Heartbleed bug (http://vimeo.adminschoice. 2014. additional terms may apply.php?title=Heartbleed&oldid=604169039" Categories: Computer security exploits Internet security Software bugs This page was last modified on 14 April 2014 at 15:14.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-g+-pete-link%20) .by Mashable.org/story/14/04/10/1343236/theode-raadts-small-rant-on-openssl).Wikipedia.txt).