Introduction to HTTP
Why HTTP over SSL?
Discovery of heartbleed
OpenSSL heartbeat extension
What exactly is bleeding?
Protecting against heartbleed attacks
A quick demo
A typical HTTP communication
• I would like to open a
• GET <file location>
• Display response
• Close connection
• Send page or error message
When packages of data are sent out over the internet – a lot more
can happen than you think!
Need for encryption SSL/TLS
Provides authentication, confidentiality and integrity.
Asymmetric encryption for key exchange (Public and Private
Pre-shared secret key between the client and server
SHARED secret key – ensures that the message is private
even if it is intercepted.
OpenSSL - open source implementation of SSL and TLS
Discovery of Heartbleed
The bug was independently discovered by a team of security
engineers (Riku,Antti and Matti) at Codenomicon and Neel Mehta
of Google Security, who first reported it to the OpenSSL team on
April 1, 2014
Massive SSL bug impacts Internet and its users
According to Netcraft’s survey about 17.5% of SSL sites had
heartbeat extension enabled (half a million)
Affected versions - 1.0.1 and 1.0.2-beta including 1.0.1f and 1.0.2-
beta1 (since March 2012)
Apache and nginx servers typically run OpenSSL implementations
SSL heartbeats are defined in RFC6520
Similar to Connection Keep-alive in HTTP
They can be sent without authenticating with the server
A heartbeat is a message that is sent to the server just so
the server can send it back.This lets a client know that
the server is still connected and listening.