The Matter of Heartbleed

Authors:
Zakir Durumeric

University of California, Berkeley, Berkeley, CA, USA

University of California, Berkeley, Berkeley, CA, USA
View Profile

,
Frank Li

University of California, Berkeley, Berkeley, CA, USA

University of California, Berkeley, Berkeley, CA, USA
View Profile

,
James Kasten

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Johanna Amann

International Computer Science Institute, Berkeley, CA, USA

International Computer Science Institute, Berkeley, CA, USA
View Profile

,
Jethro Beekman

University of California, Berkeley, Berkeley, USA

University of California, Berkeley, Berkeley, USA
View Profile

,
Mathias Payer

Purdue University, Purdue, IN, USA

Purdue University, Purdue, IN, USA
View Profile

,
Nicolas Weaver

University of California, Berkeley, Berkeley, CA, USA

University of California, Berkeley, Berkeley, CA, USA
View Profile

,
David Adrian

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

,
Vern Paxson

University of California, Berkeley, Berkeley, CA, USA

University of California, Berkeley, Berkeley, CA, USA
View Profile

,
Michael Bailey

University of Illinois, Urbana Champaign, Berkeley, IL, USA

University of Illinois, Urbana Champaign, Berkeley, IL, USA
View Profile

,
J. Alex Halderman

University of Michigan, Ann Arbor, MI, USA

University of Michigan, Ann Arbor, MI, USA
View Profile

IMC '14: Proceedings of the 2014 Conference on Internet Measurement ConferenceNovember 2014Pages 475–488https://doi.org/10.1145/2663716.2663755

Published:05 November 2014Publication History

IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

Pages 475–488

ABSTRACT

The Heartbleed vulnerability took the Internet by surprise in April 2014. The vulnerability, one of the most consequential since the advent of the commercial Internet, allowed attackers to remotely read protected memory from an estimated 24--55% of popular HTTPS sites. In this work, we perform a comprehensive, measurement-based analysis of the vulnerability's impact, including (1) tracking the vulnerable population, (2) monitoring patching behavior over time, (3) assessing the impact on the HTTPS certificate ecosystem, and (4) exposing real attacks that attempted to exploit the bug. Furthermore, we conduct a large-scale vulnerability notification experiment involving 150,000 hosts and observe a nearly 50% increase in patching by notified hosts. Drawing upon these analyses, we discuss what went well and what went poorly, in an effort to understand how the technical community can respond more effectively to such events in the future.

References

Alexa Top 1,000,000 Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.Google Scholar
Bitcoin Core Version History. https://bitcoin.org/en/version-history.Google Scholar
Installing OpenDKIM. http://www.opendkim.org/INSTALL.Google Scholar
Telnet Server with SSL Encryption Support. https://packages.debian.org/stable/net/telnetd-ssl.Google Scholar
Install Ejabberd, Oct. 2004. http://www.ejabberd.im/tuto-install-ejabberd.Google Scholar
Cassandra Wiki - Internode Encryption, Nov. 2013. http://wiki.apache.org/cassandra/InternodeEncryption.Google Scholar
Android Platform Versions, Apr. 2014. https://developer.android.com/about/dashboards/index.html#Platform.Google Scholar
Apple Says iOS, OSX and "Key Web Services" Not Affected by Heartbleed Security Flaw, Apr. 2014. http://recode.net/2014/04/10/apple-says-ios-osx-and-key-web-services-not-affected-by-heartbleed-security-flaw/.Google Scholar
Heartbleed F.A.Q., 2014. https://www.startssl.com/?app=43.Google Scholar
The Heartbleed Hit List: The Passwords You Need to Change Right Now, Apr. 2014. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/.Google Scholar
HP Support Document c04249852, May 2014. http://goo.gl/AcUG8I.Google Scholar
Is Openfire Affected by Heartbleed?, Apr. 2014. https://community.igniterealtime.org/thread/52272.Google Scholar
June 2014 Web Server Survey, 2014. http://news.netcraft.com/archives/2014/06/06/june-2014-web-server-survey.html.Google Scholar
NGINX and the Heartbleed Vulnerability, Apr. 2014. http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/.Google Scholar
Official BTCJam Update, Apr. 2014. http://blog.btcjam.com/post/82158642922/official-btcjam-update.Google Scholar
SSL Pulse, Apr. 2014. https://www.trustworthyinternet.org/ssl-pulse/.Google Scholar
Tomcat Heartbleed, Apr. 2014. https://wiki.apache.org/tomcat/Security/Heartbleed.Google Scholar
Wikimedia's Response to the "Heartbleed" Security Vulnerability, Apr. 2014. https://blog.wikimedia.org/2014/04/10/wikimedias-response-to-the-heartbleed-security-vulnerability/.Google Scholar
Adobe. Heartbleed Update, Apr. 2014. http://blogs.adobe.com/psirt/?p=1085.Google Scholar
M. Al-Bassam. Top Alexa 10,000 Heartbleed Scan-April 14, 2014. https://github.com/musalbas/heartbleed-masstest/blob/94cd9b6426311f0d20539e696496ed3d7bdd2a94/top1000.txt.Google Scholar
Alienth. We Recommend that You Change Your Reddit Password, Apr. 2014. http://www.reddit.com/r/announcements/comments/231hl7/we_recommend_that_you_change_your_reddit_password/.Google Scholar
J. Amann, M. Vallentin, S. Hall, and R. Sommer. Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. Technical Report TR-12-014, ICSI, Nov. 2012.Google Scholar
AWeber Communications. Heartbleed: We're Not Affected. Here's What You Can Do To Protect Yourself, Apr. 2014. http://blog.aweber.com/articles-tips/heartbleed-how-to-protect-yourself.htm.Google Scholar
Bitcoin. OpenSSL Heartbleed Vulnerability, Apr. 2014. https://bitcoin.org/en/alert/2014-04--11-heartbleed.Google Scholar
Bro Network Security Monitor Web Site. http://www.bro.org.Google Scholar
N. Craver. Is Stack Exchange Safe from Heartbleed?, Apr. 2014. http://meta.stackexchange.com/questions/228758/is-stack-exchange-safe-from-heartbleed.Google Scholar
R. Dingledine. Tor OpenSSL Bug CVE-2014-0160, Apr. 2014. https://blog.torproject.org/blog/openssl-bug-cve-2014-0160.Google Scholar
Dropbox Support. https://twitter.com/dropbox_support/status/453673783480832000, Apr. 2014. Quick Update on Heartbleed: We've Patched All of Our User-Facing Services & Will Continue to Work to Make Sure Your Stuff is Always Safe.Google Scholar
Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS Certificate Ecosystem. In Proc. ACM Internet Measurement Conference, Oct. 2013. Google ScholarDigital Library
Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-Wide Scanning and its Security Applications. In Proc. USENIX Security Symposium, Aug. 2013. Google ScholarDigital Library
A. Ellis. Akamai heartbleed Update (V3), Apr. 2014. https://blogs.akamai.com/2014/04/heartbleed-update-v3.html.Google Scholar
A. S. Foundation. CouchDB and the Heartbleed SSL/TLS Vulnerability, Apr. 2014. https://blogs.apache.org/couchdb/entry/couchdb_and_the_heartbleed_ssl.Google Scholar
GoDaddy. OpenSSL Heartbleed: We've Patched Our Servers, Apr. 2014. http://support.godaddy.com/godaddy/openssl-and-heartbleed-vulnerabilities/.Google Scholar
L. Grangeia. Heartbleed, Cupid and Wireless, May 2014. http://www.sysvalue.com/en/heartbleed-cupid-wireless/.Google Scholar
S. Grant. The Bleeding Hearts Club: Heartbleed Recovery for System Administrators, Apr. 2014. https://www.eff.org/deeplinks/2014/04/bleeding-hearts-club-heartbleed-recovery-system-administrators.Google Scholar
B. Grubb. Heartbleed Disclosure Timeline: Who Knew What and When. Apr. 2014. http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html.Google Scholar
L. Haisley. OpenSSL Crash with STARTTLS in Courier, May 2014. http://sourceforge.net/p/courier/mailman/message/32298514/.Google Scholar
IBM. OpenSSL Heartbleed (CVE-2014-0160), May 2014. https://www-304.ibm.com/connections/blogs/PSIRT/entry/openssl_heartbleed_cve_2014_0160.Google Scholar
Infusionsoft. What You Need to Know About Heartbleed, Apr. 2014. http://blog.infusionsoft.com/company-news/need-know-heartbleed/.Google Scholar
Internal Revenue Service. IRS Statement on "Heartbleed" and Filing Season, Apr. 2014. http://www.irs.gov/uac/Newsroom/IRS-Statement-on-Heartbleed-and-Filing-Season.Google Scholar
W. Kamishlian and R. Norris. Installing OpenSSL for Jabberd 2. http://www.jabberdoc.org/app_openssl.html.Google Scholar
Litespeed Technologies. LSWS 4.2.9 Patches Heartbleed Bug, Apr. 2014. http://www.litespeedtech.com/support/forum/threads/lsws-4--2--9-patches-heartbleed-bug.8504/.Google Scholar
S. Marquess. Of Money, Responsibility, and Pride, Apr. 2014. http://veridicalsystems.com/blog/of-money-responsibility-and-pride/.Google Scholar
M. Masnick. Shameful Security: StartCom Charges People To Revoke SSL Certs Vulnerable to Heartbleed, Apr. 2014. http://www.techdirt.com/articles/20140409/11442426859/shameful-security-startcom-charges-people-to-revoke-ssl-certs-vulnerable-to-heartbleed.shtml.Google Scholar
N. Mehta and Codenomicon. The Heartbleed Bug. http://heartbleed.com/.Google Scholar
Microsoft. Microsoft Services unaffected by OpenSSL Heartbleed vulnerability, Apr. 2014. http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx.Google Scholar
MongoDB. MongoDB Response on Heartbleed OpenSSL Vulnerability, Apr. 2014. http://www.mongodb.com/blog/post/mongodb-response-heartbleed-openssl-vulnerability.Google Scholar
K. Murchison. Heartbleed Warning - Cyrus Admin Passowrd Leak!, Apr. 2014. http://lists.andrew.cmu.edu/pipermail/info-cyrus/2014-April/037351.html.Google Scholar
E. Ng. Tunnel Fails after OpenSSL Patch, Apr. 2014. https://lists.openswan.org/pipermail/users/2014-April/022934.html.Google Scholar
M. O'Connor. Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed Bug), Apr. 2014. http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html.Google Scholar
P. Ondruska. Does OpenSSL CVE-2014-0160 Effect Jetty Users', Apr. 2014. http://dev.eclipse.org/mhonarc/lists/jetty-users/msg04624.html.Google Scholar

Index Terms

The Matter of Heartbleed
1. Networks
  1. Network services

Recommendations

Analysis of SSL certificate reissues and revocations in the wake of heartbleed
IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

Central to the secure operation of a public key infrastructure (PKI) is the ability to revoke certificates. While much of users' security rests on this process taking place quickly, in practice, revocation typically requires a human to decide to reissue ...
Read More
"Heartbleed": a misuse pattern for the OpenSSL implementation of the SSL/TLS protocol
PLoP '16: Proceedings of the 23rd Conference on Pattern Languages of Programs

Transport Layer Security (TLS) is the successor of the Secure Sockets Layer (SSL) protocol, a cryptographic protocol that provides a secure communication channel between a client and a server. Its secure communication prevents an attacker from ...
Read More
A Programmatic Solution to Stop Heartbleed Bug Attack
Big Data Analytics in Astronomy, Science, and Engineering
Abstract
A flaw was found in the Open SSL cryptography library in April 2014, known as the Heartbleed vulnerability that was implemented in the Transport Layer Security and Secure Socket Layer Protocols. This bug allowed the attacker to steal sensitive ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference
November 2014
524 pages
ISBN:9781450332132
DOI:10.1145/2663716
General Chair:
Carey Williamson
University of Calgary, Canada
,
Program Chairs:
Aditya Akella
University of Wisconsin - Madison, USA
,
Nina Taft
Google, USA
Copyright © 2014 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 5 November 2014
Check for updates
Author Tags
heartbleed
internet-wide scanning
openssl
security
Qualifiers
- research-article
Conference

Acceptance Rates
IMC '14 Paper Acceptance Rate32of103submissions,31%Overall Acceptance Rate277of1,083submissions,26%
More
Upcoming Conference
IMC '24

Sponsor:

sigcomm

sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 416
  Total Citations
  View Citations
- 9,740
  Total Downloads
- Downloads (Last 12 months)1,356
- Downloads (Last 6 weeks)199
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

The Matter of Heartbleed

IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Analysis of SSL certificate reissues and revocations in the wake of heartbleed

"Heartbleed": a misuse pattern for the OpenSSL implementation of the SSL/TLS protocol

A Programmatic Solution to Stop Heartbleed Bug Attack