Diary of a Heartbleed

Learn how the Defensics fuzzing tool was used to discover this vulnerability.

The Heartbleed vulnerability affects how OpenSSL implements the heartbeat protocol in TLS. In computing, a heartbeat, or a simple data message, typically determines the persistence of another machine in a given transaction; in this case, a heartbeat determines the persistence of the encryption between a client and a server. In this case, Heartbleed allows an attacker to request data more than a simple response; in other words, it could allow for the leakage of passphrases and encryption keys.

Heartbleed was independently co-discovered in April 2014 by the Synopsys research team in Finland (formerly Codenomicon). The official Common Vulnerabilities and Exposures (CVE) reference to Heartbleed, as issued by Standard for Information Security Vulnerability Names maintained by MITRE, is CVE-2014-0160, however a common name was chosen to help identify it. Officially the world first learned about the Heartbleed vulnerability on April 7, 2014, when the open source organization OpenSSL issued a fix.

Download white paper