Do you understand how the Heartbleed bug works? This set of slides provides a simple explanation of the year's most critical Internet security flaw and explains how you can protect yourself.
3. The Heartbeat
• Used to keep connections alive
• Client sends data to the server, server repeats it back
• Similar to ICMP Ping, but within TLS
Web Server
Running OpenSSL
Client
Heartbeat “Hello” 6
Heartbeat “Hello” 6
4. The Problem
• Older versions of OpenSSL don’t check that the
length of text requested is the same as the
length of text provided
• They send back the input data, plus arbitrary
memory contents -- whatever the server
happens to have in memory!
– Passwords
– Account information
– SSL Private Keys
4
9. What to Do About Heartbleed
Server-Side
• Quick fix: Disable Heartbeats
• Real fix: Upgrade OpenSSL
User Actions
• Change passwords
• Test sites yourself
9