The Heartbleed Bug is an OpenSSL vulnerability that would allow malicious hackers to steal information from websites that would normally be protected by the SSL/TLS encryption. The open source OpenSSL cryptography library is used to implement the Internet's Transport Layer Security (TLS) protocol.
Named by the researchers who discovered the security flaw, the Heartbleed Bug theoretically lets anyone on the Internet access a secure Web server running certain versions of OpenSSL to obtain site encryption keys, user passwords and site content.
According to the official Heartbleed Bug website, OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable while OpenSSL version 1.0.1g patches the security flaw.
Heartbleed Flaw Creation and Bug Discovery
The Heartbleed bug was initially discovered by Google engineer Neel Mehta and the Finnish security firm Codenomicon. The security flaw was introduced in the open source OpenSSL encryption protocol by German software developer Robin Seggelmann. Since the flaw has become widely known, Seggelmann has said the bug was inadvertently missed by himself and another code reviewer and the bug was not inserted maliciously, despite online conspiracy theories concerning Heartbleed, such as NSA using the Heartbleed bug to spy.
The Heartbleed Bug in the News
Heartbleed Bug Rumors
RCMP asked Revenue Canada to delay news of SIN thefts
Heartbleed bug bites millions of Android phones
Heartbleed bug: What’s affected and what passwords you need to change
Tests confirm Heartbleed bug can expose server's private key
There are few documented cases of attacks exploiting the Heartbleed bug, but security experts warn that using the bug would leave no trace and all websites using the affected OpenSSL versions should be considered compromised.
While many large sites, including Google, Facebook and others were quick to note services were "safe" from Heartbleed, the public announcement on April 8, 2014 seems to have prompted attacks. The Canada Revenue Agency (CRA) shut down it public online services to patch for the flaw but before the fix was implemented the CRA said 900 social insurance numbers were stolen from CRA computers by persons exploiting the Heartbleed bug.
In another reported attack, UK-based parenting website, Mumsnet, also claims to have experienced a breach where the infiltrator claimed to have used Heartbleed to access an account. The site provided some details to its users along with instructions on how to reset site passwords.
Heartbleed: Beyond the Internet
The Heartbleed bug extends beyond the Internet. For example, mobile devices running the 4.1.1 Android operating system (released in 2012) have the Heartbleed software bug. All other versions are immune to the flaw, but this leaves millions of smartphones and tablets vulnerable. In addition, operating systems, including Debian Wheezy (stable), Ubuntu 12.04.4 LTS, CentOS 6.5, OpenBSD 5.3 and OpenSUSE 12.2 are versions that have shipped with a vulnerable OpenSSL version (see full list).
Stay up to date on the latest developments in Internet terminology with a free weekly newsletter from Webopedia. Join to subscribe now.
We look at a few of the more troubling aspects of statistics and how these may be used to advance an agenda or skew the facts to someone's... Read More »29 Free Android Apps for Cash-Strapped Students
From wacky alarm clocks to lecture hall tools and after class entertainment, these Android apps are a good fit for a student's life and budget. Read More »Sharing Threat Intelligence
A growing number of startups make the sharing of threat intelligence a key part of their solutions. Read More »
The Open System Interconnection (OSI) model defines a networking framework to implement protocols in seven layers. Use this handy guide to compare... Read More »Network Fundamentals Study Guide
Networking fundamentals teaches the building blocks of modern network design. Learn different types of networks, concepts, architecture and... Read More »Computer Architecture Study Guide
This Webopedia study guide describes the different parts of a computer system and their relations. Read More »