It’s hard to believe that it’s already been three years since the Heartbleed vulnerability (CVE-2014-0160) was announced, and five years since it was accidentally added to OpenSSL’s line of heartbeat code. While the Heartbleed exploit was an accidental product of the underfunded and understaffed OpenSSL team, it turned out to be what some have called a “catastrophic flaw” or “one of the biggest flaws in the Internet’s history.”
Even harder to believe is that three years later, many servers and devices are still affected by the Heartbleed vulnerability. According to a January 2017 report by Shodan, about 200,000 devices and servers are still vulnerable to this OpenSSL vulnerability.
Despite the seriousness of the Heartbleed vulnerability, the Heartbleed Bug website mentions one silver lining: that this well-publicized vulnerability would motivate companies to maintain their software and become vigilant against future attacks. However, in the intervening three years many companies have yet to remediate the vulnerability, either because they rely on outdated software or are unaware of the issue in their code.
While larger corporations and affected companies remember the Heartbleed bug as one of the largest flaws in the Internet’s history, other companies may not have understood how it might impact them or weren’t seeking out that type of vulnerability information. It’s hard to know you have a problem when you don’t know where to look or if it even exists!
While I originally found understanding a serious OpenSSL vulnerability like Heartbleed daunting, I learned a lot while writing this post. Below is a basic overview based on my research.