What is Heartbleed?
Heartbleed is a serious security bug in the OpenSSL cryptography library. Its official reference is CVE-2014-0160. This bug is the result of a missing bounds check in the heartbeat function.
What is an SSL heartbeat?
Without the heartbeat function, this bug would not exist, so it’s important to understand the feature being exploited.
The SSL Heartbeat is defined by the Internet Engineering Task Force (IETF) as “…a new protocol for TLS/DTLS allowing the usage of keep-alive-functionality without performing a renegotiation and a basis for path MTU”
In simplest terms, SSL Heartbeat acts much the same way keep-alive functionality does but without having to renegotiate the secure connection.
What is a bounds check?
A bounds or boundary check is a form of input validation to ensure that variables in use do not exceed a certain size or limit. The Heartbleed bug exists because there was no such function in place.
How does it work?
OpenSSL includes a heartbeat option since 2011. The heartbeat is a small message sent by one computer in a secure session to verify the other is still online.
This heartbeat option can be exploited by crafting a malicious request that tricks the computer on the other end into leaking server memory.