Guide to Heartbleed Bug in OpenSSL – What to Know

by ServerSSL

Guide to Heartbleed Bug in OpenSSL – What to Know

You may have heard a lot about the Heartbleed bug. But before you panic, it is best that you equip yourself with the right knowledge about this bug in order for you to avoid it. Basically, the Heartbleed bug is within the Open SSL’s TLS heartbeat implementation. In general, the main purpose of this Heartbeat is to verify that the connection is still open and it does this by sending some arbitrary message and then expecting a response out of it.

How SSL Works

Understanding how SSL works can help you to better understand what the Heartbleed bug is all about. As you know, encryption is done by utilizing certain keys that usually come in pairs. These keys are special files which can only decrypt stuff that are being encrypted by the other pair. There is a public key that your computer will get and another private key is for the server. With this, only you as well as the server will be able to read the messages that are being transmitted and thus, no one can intercept it.

Open SSL

You should understand that SSL is just a protocol, and thus, there should be that software that will make use of these protocols and will then let the computers communicate. The most popular of this type of software is the OpenSSL. This is an open source project that is being used on various servers as well as several devices such as your mobile phone and your Internet router.

Understanding the Heartbleed Bug

Remember that connection on the Internet will require taking tiny bits of processing power to be set up if you use them so in order to avoid repeating that, things must be kept alive. This would mean sending tiny bits of data in order to let the other computer be aware that you are still on the line and that you are not too close to the connection. When it comes to SSL, such feature is known as the “heartbeat” and this is the reason why the bug is known as “Heartbleed”.

Now let’s move on to the interesting part. As soon as your computer will send a heartbeat to the server, it will deliver little bit of data that is called the payload and it will come with a number that describes how big that data would be. The server will then respond in the same manner by storing the message in a memory and then copying it out before sending the message back to you. The server will know how much to copy and be sent back since your computer will be told how big the message is.

It is unfortunate to know that there are certain versions of OpenSSL where the heartbeat feature comes with a bug within one single line of code that did not check if such “size” you have claimed is actually the size of what you have sent. This means that you could send out tiny bit of data and then claim it was much bigger. Without this security check, the server will just go ahead and will take big chunks of memory before sending back to you thinking that it was what you have sent originally. This is how the Heartbleed bug came into place.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: