In The News‎ > ‎

Heartbleed Notes

posted Jun 2, 2014, 11:47 AM by Craig Cox   [ updated Jun 2, 2014, 11:47 AM ]

April, 2014

Imagine two teenagers on the phone.  They're burning minutes, but they're not actually talking; except from time to time one will say "hey" or something, to make sure the other is still there.

Computers do this too.  If you leave a web browser open on some web pages, and then walk away for a while, there's no data flowing back and forth; but under some conditions your browser will check to make sure the server is still listening, in case you come back to interact with the web page.  In computer jargon, this behavior is called a "heartbeat."

When researchers found that the heartbeat feature of a specific (but widely used) TCP encryption program could be tricked into giving up information on what was happening on its host computer, they named that vulnerability -- that leaking of potentially important, confidential data -- "heartbleed."

Randall Munroe put up a very clear explanation of how heartbleed works in one of his XKCD cartoons, here.  Highlighting shows how many characters were requested.

Why is this so important?   Here is a video explaining the impact of heartbleed.

What services were affected?  Lots.  Mashable is maintaning a list as of this writing (use a script blocker for Mashable! Too many scripts!); a more detailed technical list is being maintained at GitHub. Also, this just found Thursday night 4/17.

I had wondered how this particular bug had managed to get its own icon, when all other flaws and vulnerabilities just got index numbers and maybe a nickname. Thanks to this timeline, now I think I know.

SANS / Securing the Human has produced an out-of-schedule newsletter all about heartbleed. They also include a list of resource links at the end.

The PDF attachment to the original portal announcement