Heartbleed
Explained
Mike Chapple
University of Notre Dame
“'Catastrophic' is the
right word. On the
scale of 1 to 10, this
is an 11.”
- Bruce Schneier
2
The Heartbeat
• Used to keep connections alive
• Client sends data to the server, server repeats it back
• Similar to ICMP...
The Problem
• Older versions of OpenSSL don’t check that the
length of text requested is the same as the
length of text pr...
How Widespread is OpenSSL?
5
6
Xkcd.com
7
Xkcd.com
8
Xkcd.com
What to Do About Heartbleed
Server-Side
• Quick fix: Disable Heartbeats
• Real fix: Upgrade OpenSSL
User Actions
• Change ...
10
Questions?
mchapple@nd.edu
Questions?
mchapple@nd.edu
@mchapple
Upcoming SlideShare
Loading in...5
×

Heartbleed Explained

745

Published on

Do you understand how the Heartbleed bug works? This set of slides provides a simple explanation of the year's most critical Internet security flaw and explains how you can protect yourself.

Published in: Internet, Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
745
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
48
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Heartbleed Explained

  1. 1. Heartbleed Explained Mike Chapple University of Notre Dame
  2. 2. “'Catastrophic' is the right word. On the scale of 1 to 10, this is an 11.” - Bruce Schneier 2
  3. 3. The Heartbeat • Used to keep connections alive • Client sends data to the server, server repeats it back • Similar to ICMP Ping, but within TLS Web Server Running OpenSSL Client Heartbeat “Hello” 6 Heartbeat “Hello” 6
  4. 4. The Problem • Older versions of OpenSSL don’t check that the length of text requested is the same as the length of text provided • They send back the input data, plus arbitrary memory contents -- whatever the server happens to have in memory! – Passwords – Account information – SSL Private Keys 4
  5. 5. How Widespread is OpenSSL? 5
  6. 6. 6 Xkcd.com
  7. 7. 7 Xkcd.com
  8. 8. 8 Xkcd.com
  9. 9. What to Do About Heartbleed Server-Side • Quick fix: Disable Heartbeats • Real fix: Upgrade OpenSSL User Actions • Change passwords • Test sites yourself 9
  10. 10. 10
  11. 11. Questions? mchapple@nd.edu Questions? mchapple@nd.edu @mchapple
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×