In-Depth ConceptsInformation

Heartbleed bug, How it works and how was it fixed?

48

Guys First of all I want To Clear Your One Misconception About It. Is it a Virus Or Bug. Actually, Heartbleed is not a “computer virus”, it is a vulnerability in the OpenSSL cryptographic software library. 
This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names, and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

In Simple Words We Can Say Heart Bleed Is a Bug In Open SSL/TLS Flow.

The TLS/SSL standards are crucial for modern web encryption, and while the flaw was in the OpenSSL implementation rather than the standards themselves, OpenSSL is so widely used — when the bug was made public, it affected 17% of all SSL servers — that it precipitated a security crisis.

How Heartbleed works

To understand how the Heartbleed vulnerability (CVE-2014-0160) works, you need to know a little bit about how the TLS/SSL protocols operate, and how computers store information in memory.

One important part of the TLS/SSL protocols is what’s called a heartbeat.Essentially, this is how the two computers communicating with one another let each other know that they’re still connected even if the user isn’t downloading or uploading anything at the moment. Occasionally, one of the computers will send an encrypted piece of data, called a heartbeat request, to the other. The second computer will reply back with the exact same encrypted piece of data, proving that the connection is still in place. Crucially, the heartbeat request includes information about its own length.

So, for example, if you’re reading your Yahoo mail but haven’t done anything in a while to load more information, your web browser might send a signal to Yahoo’s servers saying, in essence, “This is a 40 KB message you’re about to get. Repeat it all back to me.” (The requests can be up to 64 KB long.) When Yahoo’s servers receive that message, they allocate a memory buffer — a region of physical memory where it can store information — that’s 40 KB long, based on the reported length of the heartbeat request. Next, it stores the encrypted data from the request into that memory buffer, then reads the data back out of it and sends it back to your web browser.

That’s how it’s supposed to work. The Heartbleed vulnerability arose because OpenSSL’s implementation of the heartbeat functionality was missing a crucial safeguard: the computer that received the heartbeat request never checked to make sure the request was actually as long as it claimed to be. So if a request said it was 40 KB long but was actually only 20 KB, the receiving computer would set aside 40 KB of memory buffer, then store the 20 KB it actually received, then send back that 20 KB plus whatever happened to be in the next 20 KB of memory. That extra 20 KB of data is information that the attacker has now extracted from the web server.

This is the crucial part of the operation. Even when a computer is done with information, it persists in memory buffers until something else comes along to overwrite it. If you’re the attacker, you have no way to know in advance what might be lurking in that 20 KB you just grabbed off the server, but there are a number of possibilities. It could be gibberish or useless cruft. You could get SSL private keys, which would allow for the decryption of secure communication to that server (this is unlikely, but would be the holy grail for an attacker). More commonly, you could get back usernames and passwords that had been submitted to applications and services running on the server, which would allow you to log in and gain access.

Heartbleed code

Remember, This Vulneriblity Is Still Available In Sites Who are Using Free SSL. Use These Codes At Your Own risk. {I Mentioned It Just For Educational Purpuses.

The coding mistake that caused Heartbleed can be traced to a single line of code:

memcpy(bp, pl, payload);

memcpy() is the command that copies data. bp is the place it’s copying it to, pl is where it’s being copied from, and payload is the length of the data being copied. The problem is that there’s never any attempt to check if the amount of data in pl is equal to the value given of payload.

The most ironic thing here is that OpenSSL is open source software. Anyone could look at the code, and presumably hundreds did, but nobody noticed the fairly elementary coding error.

The Heartbleed fix

Patches were rolled out for OpenSSL right away when the vulnerability was announced, and in all likelihood most formerly vulnerable servers have been updated by this point, but it can’t hurt to test if you’re not sure — it’s always possible that some server that’s important to you has been chugging along for years without a proper upgrade. Pentest-tools.com has a free web-based testthat lets you input a URL to discover if a server has been properly patched.

The way to fix the Heartbleed vulnerability is to upgrade to the latest version of OpenSSL. You can find links to all the latest code on the OpenSSL website.

If you’re curious about the code that implements the fix, you can look at it — after all, OpenSSL is open source:

* Read type and payload length first */

if (1 + 2 + 16 > s->s3->relent)

return 0;

/* silently discard */

hbtype = *p++;

n2s(p, payload);

if (1 + 2 + payload + 16 > s->s3->rrec.length)

return 0;

/* silently discard per RFC 6520 sec. 4 */

pl = p;

The first part of this code makes sure that the heartbeat request isn’t 0 KB, which can cause problems. The second part makes sure the request is actually as long as it says it is.

If you discover that a server under your control has been left vulnerable for some time, there’s more to do than just update the OpenSSL code. For instance, you should change the SSL certificates used by the servers, since they may have been compromised without leaving a trace. More pedestrian but still important: users who have accounts on the system should change their passwords.

Now Check out, How Non-Tech Guys Are Spreading Wrong Information About “Heart bleed” Bug.

  • As I told Above Its Not a Virus. Its Bug In Programming That Used By Hackers To Get Access To Confidential Data.
  • Red Herring is Not a Device Its a Line Of Codes To Create Loop In Decoy Servers.
  • Red Herring was Failed Experiment.
  • This Vulneriblity/Bug Still Available In Website Those Are Using Free SSL.

Guys There’r Lot’s Of Misleading Lines. As I Explained From Starting.

Guys Just One Like For My Post To Write This Blog.


Lovepreet Singh
CEO & FOUNDER OF" FIVE RIVERS INCORPORATION - LEADING SOFTWARE & CYBER SECURITY DEVELOPMENT COMPANY" || CERTIFIED ETHICAL HACKER || FUTURE TRILLIONAIRE || FUTURISTIC || "DULL SCHOOL STUDENT" || (Follow this link to message me on WhatsApp: https://wa.me/13018426470)

APIs Are Like User Interfaces–Just With Different Users in Mind

Previous article

What is an API, Exactly?

Next article

You may also like

48 Comments

  1. Hi there to all, the contents present at this web page are in fact amazing for people knowledge, well,
    keep up the good work fellows. natalielise plenty of fish

  2. Thank you, I’ve just been searching for info approximately this topic for a while and yours
    is the best I’ve came upon till now. However, what concerning the conclusion? Are you sure in regards to the
    source?

  3. I used to be suggested this website through my cousin. I’m not positive whether
    this put up is written via him as no one else recognise such special approximately my problem.
    You are wonderful! Thanks!

  4. Hi, yeah this paragraph is actually fastidious and I have learned
    lot of things from it concerning blogging. thanks.

  5. Hey would you mind sharing which blog platform you’re working with?
    I’m looking to start my own blog soon but I’m having a difficult
    time deciding between BlogEngine/Wordpress/B2evolution and Drupal.
    The reason I ask is because your layout seems different then most
    blogs and I’m looking for something completely unique.
    P.S Apologies for being off-topic but I had to ask!

  6. I got this web site from my buddy who shared with me regarding this web
    site and now this time I am visiting this web page and reading very informative articles or reviews at this time.

  7. Drinking Alcohol While On Amoxicillin Priligy Tijuana [url=http://bpdrug.com]priligy precio en mexico[/url] Prozac For Sale Online

  8. Amoxicilina Amoksibos Find Secure Ordering Overnight Shipping Oldham Sex Pill Guru Order Online [url=http://genericcial.com]cialis without a doctor’s prescription[/url] Viagra Generika Gunstig Online Kaufen Levitra Generika 20mg Rezeptfrei Achat Viagra Nord

  9. Provera Want To Buy Buy Accutane Uk Online Kamagra Safe [url=http://orderviapills.com]viagra[/url] Aktivitat Levitra Real Dutasteride Medication Internet Purchasing Amoxicilina 500mg Internet

  10. I have been exploring for a little bit for any high-quality articles
    or blog posts in this kind of house . Exploring in Yahoo I at last stumbled upon this site.
    Reading this information So i’m satisfied to
    express that I’ve an incredibly just right uncanny feeling I found
    out exactly what I needed. I such a lot unquestionably will make sure to don?t put out of your mind this site and give it a look regularly.

  11. Hmm is anyone else encountering problems with the pictures on this blog loading?
    I’m trying to find out if its a problem on my end or if it’s the
    blog. Any suggestions would be greatly appreciated.

  12. Deltasone Dosage [url=http://drisdol.com]canadian pharmacy cialis 20mg[/url] Propecia Iv Rogaine

  13. Cialis Schwarzmarkt Cialis Per Nachname Rezeptfrei [url=http://xzanax.com][/url] Buy Amoxicillin For Dogs Viagra For Sale In The Usa

  14. Hello! Someone in my Facebook group shared this
    site with us so I came to take a look. I’m definitely enjoying the information.
    I’m book-marking and will be tweeting this to my followers!
    Fantastic blog and wonderful style and design.

  15. WOW just what I was looking for. Came here by
    searching for plenty of fish dating site

  16. Hello there! Quick question that’s totally off topic.
    Do you know how to make your site mobile friendly? My web
    site looks weird when viewing from my iphone
    4. I’m trying to find a template or plugin that might be able to correct this problem.
    If you have any suggestions, please share. Cheers!

  17. Costo Del Cialis Acquista Cialis Online Legally Zentel Valbazen Internet Visa Accepted [url=http://drisdol.com]cialis online[/url] Priligy Israel 247overnightpharmacy Scam

  18. … [Trackback]

    […] Info on that Topic: techandsecurity.net/heartbleed-bug-how-it-works-and-how-was-it-fixed.html […]

  19. Kamagra Rezeptfrei Berlin Propecia Dosificacion Acquisto Cialis Internet [url=http://cialvia.com]cialis for sale[/url] Buy Clomid For Men Online Resultados Con Propecia Cialis For Sale In Canada 168

  20. Excellent article. Keep writing such kind of information on your blog.
    Im really impressed by your blog.
    Hey there, You’ve performed an excellent job. I will certainly digg
    it and for my part suggest to my friends. I am sure they will be
    benefited from this website.

  21. … [Trackback]

    […] Read More Info here on that Topic: techandsecurity.net/heartbleed-bug-how-it-works-and-how-was-it-fixed.html […]

  22. … [Trackback]

    […] Find More Information here to that Topic: techandsecurity.net/heartbleed-bug-how-it-works-and-how-was-it-fixed.html […]

  23. … [Trackback]

    […] Information on that Topic: techandsecurity.net/heartbleed-bug-how-it-works-and-how-was-it-fixed.html […]

  24. … [Trackback]

    […] Here you will find 82109 additional Info to that Topic: techandsecurity.net/heartbleed-bug-how-it-works-and-how-was-it-fixed.html […]

  25. If you want to increase your know-how just keep visiting this web site and be updated with the
    hottest gossip posted here.

  26. … [Trackback]

    […] There you can find 19692 additional Info on that Topic: techandsecurity.net/heartbleed-bug-how-it-works-and-how-was-it-fixed.html […]

  27. Thank you for another great article. The place else could anyone get that kind of information in such a perfect means of writing?
    I’ve a presentation subsequent week, and I am at the search for such info.

  28. Cialis Generico Comprar [url=http://priliorder.com]cialis priligy[/url] Zentel Worldwide Store

  29. Hi to all, it’s genuinely a pleasant for me to visit this website, it includes helpful
    Information.

  30. I do trust all of the ideas you’ve offered on your post.
    They’re very convincing and will certainly work.
    Nonetheless, the posts are very quick for novices.
    Could you please extend them a bit from next time? Thank you for the post.

  31. … [Trackback]

    […] Read More Information here to that Topic: techandsecurity.net/heartbleed-bug-how-it-works-and-how-was-it-fixed.html […]

  32. Thanks in favor of sharing such a fastidious thought, article is pleasant, thats why i have read it entirely

  33. With havin so much written content do you ever run into
    any issues of plagorism or copyright infringement? My website
    has a lot of completely unique content I’ve either written myself or outsourced
    but it looks like a lot of it is popping it up all over
    the web without my permission. Do you know any techniques to help stop content from being stolen? I’d certainly appreciate it.

  34. bookmarked!!, I love your web site!

  35. What’s up to every body, it’s my first pay a visit of this webpage;
    this web site contains awesome and genuinely good data
    for visitors.

  36. Terrific article! This is the kind of information that should be shared around the web.
    Disgrace on the seek engines for not positioning this post upper!
    Come on over and discuss with my web site . Thank you =)

  37. Thank you, I’ve recently been searching for information approximately this subject for a
    long time and yours is the greatest I have found out so far.

    However, what in regards to the bottom line? Are you positive about the source?

  38. Saved as a favorite, I like your site!

  39. Wonderful blog! I found it while surfing
    around on Yahoo News. Do you have any suggestions on how to get listed in Yahoo News?
    I’ve been trying for a while but I never seem to get there!
    Many thanks

  40. My programmer is trying to persuade me to move to .net from PHP.
    I have always disliked the idea because of the expenses. But he’s tryiong none
    the less. I’ve been using WordPress on a variety of websites
    for about a year and am nervous about switching to another platform.
    I have heard very good things about blogengine.net.
    Is there a way I can import all my wordpress
    posts into it? Any kind of help would be really appreciated!

  41. Fantastic goods from you, man. I have understand your stuff previous to and you’re just too excellent.
    I actually like what you’ve acquired here, certainly like what you’re stating and the way in which
    you say it. You make it entertaining and you still care for to keep it sensible.

    I can’t wait to read much more from you. This is
    actually a wonderful web site.

  42. I got this site from my buddy who told me
    about this site and now this time I am visiting this site and reading very informative
    articles or reviews at this place.

  43. Do you have a spam problem on this site; I also am a blogger, and I was wanting to know your situation; many of us
    have developed some nice procedures and we are looking
    to trade techniques with others, why not shoot me an email if interested.

  44. May I simply say what a comfort to discover somebody that
    truly knows what they’re talking about on the internet. You certainly realize how to bring a problem to light
    and make it important. More people ought to read this and understand this side of the story.
    I was surprised you’re not more popular because you most certainly possess the gift.

  45. … [Trackback]

    […] Read More on on that Topic: techandsecurity.net/heartbleed-bug-how-it-works-and-how-was-it-fixed.html […]

  46. … [Trackback]

    […] Information on that Topic: techandsecurity.net/heartbleed-bug-how-it-works-and-how-was-it-fixed.html […]

  47. … [Trackback]

    […] Read More on that Topic: techandsecurity.net/heartbleed-bug-how-it-works-and-how-was-it-fixed.html […]

  48. … [Trackback]

    […] Find More Information here on that Topic: techandsecurity.net/heartbleed-bug-how-it-works-and-how-was-it-fixed.html […]

Leave a reply

Your email address will not be published. Required fields are marked *