Upload
mike-chapple
View
538
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Do you understand how the Heartbleed bug works? This set of slides provides a simple explanation of the year's most critical Internet security flaw and explains how you can protect yourself.
Citation preview
Heartbleed Explained
Mike ChappleUniversity of Notre Dame
2
“'Catastrophic' is the right word. On the scale of 1 to 10, this
is an 11.”
- Bruce Schneier
The Heartbeat
• Used to keep connections alive• Client sends data to the server, server repeats it back• Similar to ICMP Ping, but within TLS
Web ServerRunning OpenSSL
Client
Heartbeat “Hello” 6
Heartbeat “Hello” 6
The Problem
• Older versions of OpenSSL don’t check that the length of text requested is the same as the length of text provided
• They send back the input data, plus arbitrary memory contents -- whatever the server happens to have in memory!– Passwords– Account information– SSL Private Keys
4
How Widespread is OpenSSL?
5
6
Xkcd.com
7
Xkcd
.com
8
Xkcd
.com
9
What to Do About Heartbleed
Server-Side• Quick fix: Disable Heartbeats• Real fix: Upgrade OpenSSL
User Actions• Change passwords• Test sites yourself
10
Questions?