IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [heartbleed]

A highly critical vulnerability in the OpenSSL library which allows an attacker to obtain random 64kByte blocks of memory from the process using said library, which could include user credentials, private SSL keys, and other data sent/received from the server.

OpenSSL Security Advisory [07 Apr 2014]

TLS heartbeat read overrun (CVE-2014-0160)

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

133 questions
260
votes
11 answers

How to explain Heartbleed without technical terms?

Most of my friends who are not experienced in computers want to know what Heartbleed is and how it works. How would one explain Heartbleed to someone without a technical background?
user36976
  • 3,233
  • 4
  • 14
  • 22
226
votes
1 answer

How exactly does the OpenSSL TLS heartbeat (Heartbleed) exploit work?

I've been hearing more about the OpenSSL Heartbleed attack, which exploits some flaw in the heartbeat step of TLS. If you haven't heard of it, it allows people to: Steal OpenSSL private keys Steal OpenSSL secondary keys Retrieve up to 64kb of…
user43639
127
votes
2 answers

How is the Heartbleed exploit even possible?

I have read about the Heartbleed OpenSSL vulnerability and understand the concept. However what I don't understand is the part where we pass 64k as the length and the server returns 64kb of random data because it does not check whether we really…
Talha Sayed
  • 1,001
  • 2
  • 8
  • 8
114
votes
5 answers

What should a website operator do about the Heartbleed OpenSSL exploit?

CVE-2014-0160 http://heartbleed.com This is supposed to be a canonical question on dealing with the Heartbeat exploit. I run an Apache web server with OpenSSL, as well as a few other utilities relying on OpenSSL (as client). What should I do to…
Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
73
votes
4 answers

What clients are proven to be vulnerable to Heartbleed?

On several pages, it is re-iterated that attackers can obtain up to 64K memory from the server or client that use an OpenSSL implementation vulnerable to Heartbleed (CVE-2014-0160). There are dozens of tools that reveal the bug in server…
Lekensteyn
  • 5,898
  • 5
  • 37
  • 62
67
votes
3 answers

Heartbleed: Why does the client supply the length of the message at all?

"The fix for this bug is simple: check that the length of the message actually matches the length of the incoming request." Why do we even have the client report the length at all? If we can know the length of the incoming request, can't we just…
Elliot
  • 753
  • 5
  • 9
61
votes
2 answers

Does the heartbleed vulnerability affect clients as severely?

If I have a web crawler (using a non-patched version of OpenSSL) that can be coaxed to connect to an evil https-site, can they get everything from my process memory? To attack a server you can keep reconnecting to get more 64kb blocks (if I…
Gurgeh
  • 721
  • 1
  • 5
  • 5
59
votes
4 answers

Does Heartbleed mean new certificates for every SSL server?

If you haven't heard of the Heartbleed Bug, it's something to take a look at immediately. It essentially means that an attacker can exploit a vulnerability in many versions of OpenSSL to be able to gain access to a server's private key. It is not a…
Naftuli Kay
  • 6,715
  • 9
  • 47
  • 75
58
votes
2 answers

What should end-users do about Heartbleed?

What should a website operator do about the Heartbleed OpenSSL exploit? mainly talks about what people running websites should do about Heartbleed. What should end-users of websites be doing? Do they need to change their passwords? If so, should…
Andrew Grimm
  • 2,100
  • 2
  • 20
  • 27
28
votes
6 answers

Heartbleed and Routers/ASAs/other

OK, so I first heard about heartbleed a few hours ago through the stack exchange questions feed, and after a moments panic, realised that the only web servers I have secured via OpenSSL are on the internal network. Patched anyway, but now I have…
Chris O'Kelly
  • 442
  • 1
  • 4
  • 11
26
votes
3 answers

How can an attacker use a leaked private key?

I admit that while I'm a programmer, my crypto/security knowledge is fairly basic. I understand that the potential of leaking private SSL keys is cited as one of the most serious effects of the Heartbleed bug. My question is, how can an attacker…
Angew is no longer proud of SO
  • 374
  • 1
  • 4
  • 10
23
votes
4 answers

Should I change all my passwords due to heartbleed

Should I change all of my online passwords due to the heartbleed bug? Edit: I found a list of vulnerable sites on GitHub and checked all my critical sites. Everything I was really concerned with was not vulnerable according to the list.
derelict
  • 348
  • 1
  • 2
  • 10
21
votes
2 answers

Can Heartbleed be used to obtain memory from other processes?

According to http://heartbleed.com/, memory contents can be leaked from the server to the client and vice versa. Say that I have been banking in a separate browser profile (but under the same user). If another browser profile happened to be targeted…
Lekensteyn
  • 5,898
  • 5
  • 37
  • 62
19
votes
4 answers

Is TLS 1.0 more secure than TLS 1.2?

I just wanted to confirm, my system admin is telling me that TLS 1.0 is more secure than TLS 1.2 and told me I should stay on TLS 1.0...is this accurate? He mentioned that TLS 1.2 is more vulnerable and that TLS 1.0 is more secure. And that the…
olimits7
  • 291
  • 1
  • 2
  • 3
19
votes
4 answers

Which services are affected by Heartbleed?

I have to admit that I'm confused as to which services exactly are affected by Heartbleed. I have read http://heartbleed.com but all I read is that OpenSSL is affected. Great, but I don't really know where OpenSSL is used. So concretely, are these…
Matthieu Napoli
  • 292
  • 1
  • 2
  • 7
1
2 3
8 9