11
Heartbleed Explained Mike Chapple University of Notre Dame

Heartbleed Explained

Embed Size (px)

DESCRIPTION

Do you understand how the Heartbleed bug works? This set of slides provides a simple explanation of the year's most critical Internet security flaw and explains how you can protect yourself.

Citation preview

Page 1: Heartbleed Explained

Heartbleed Explained

Mike ChappleUniversity of Notre Dame

Page 2: Heartbleed Explained

2

“'Catastrophic' is the right word. On the scale of 1 to 10, this

is an 11.”

- Bruce Schneier

Page 3: Heartbleed Explained

The Heartbeat

• Used to keep connections alive• Client sends data to the server, server repeats it back• Similar to ICMP Ping, but within TLS

Web ServerRunning OpenSSL

Client

Heartbeat “Hello” 6

Heartbeat “Hello” 6

Page 4: Heartbleed Explained

The Problem

• Older versions of OpenSSL don’t check that the length of text requested is the same as the length of text provided

• They send back the input data, plus arbitrary memory contents -- whatever the server happens to have in memory!– Passwords– Account information– SSL Private Keys

4

Page 5: Heartbleed Explained

How Widespread is OpenSSL?

5

Page 6: Heartbleed Explained

6

Xkcd.com

Page 7: Heartbleed Explained

7

Xkcd

.com

Page 8: Heartbleed Explained

8

Xkcd

.com

Page 9: Heartbleed Explained

9

What to Do About Heartbleed

Server-Side• Quick fix: Disable Heartbeats• Real fix: Upgrade OpenSSL

User Actions• Change passwords• Test sites yourself

Page 10: Heartbleed Explained

10

Page 11: Heartbleed Explained

Questions?

[email protected]