SlideShare a Scribd company logo

The Heartbleed Bug

n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore Chapter - June 2014 Meet

EducationTechnology
1 of 17
Download to read offline
by Sharath Unni HEARTBLEED Bug
Contents Introduction to HTTP Why HTTP over SSL? Discovery of heartbleed OpenSSL heartbeat extension What exactly is bleeding? Protecting against heartbleed attacks A quick demo
A typical HTTP communication • I would like to open a connection • GET <file location> • Display response • Close connection • OK • Send page or error message • OK Client Server
Clear-text protocols When packages of data are sent out over the internet – a lot more can happen than you think!
Need for encryption SSL/TLS Provides authentication, confidentiality and integrity. Asymmetric encryption for key exchange (Public and Private keys) Pre-shared secret key between the client and server SHARED secret key – ensures that the message is private even if it is intercepted. OpenSSL - open source implementation of SSL and TLS protocols
Discovery of Heartbleed The bug was independently discovered by a team of security engineers (Riku,Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team on April 1, 2014 Massive SSL bug impacts Internet and its users According to Netcraft’s survey about 17.5% of SSL sites had heartbeat extension enabled (half a million) Affected versions - 1.0.1 and 1.0.2-beta including 1.0.1f and 1.0.2- beta1 (since March 2012) Apache and nginx servers typically run OpenSSL implementations
SSL heartbeat SSL heartbeats are defined in RFC6520 Similar to Connection Keep-alive in HTTP They can be sent without authenticating with the server A heartbeat is a message that is sent to the server just so the server can send it back.This lets a client know that the server is still connected and listening.
OpenSSL HeartBeat
Heartbleed (CVE-2014-0160) The vulnerability lies in the implementation of Heartbeat The memory is allocated from the payload + padding which is a user controlled value. (Buffer over-read)
OpenSSL heartbeat
So what if we can read the memory?
Metasploit extract of memory dump
Metasploit extract of memory dump
Protecting Private keys
What can we do about it? Remove the HeartBeat extension Upgrade to OpenSSL 1.0.1g Revocation of the old key pairs Force users to change their passwords User awareness
Thank you! @sharath_unni h4xorhead@gmail.com

Recommended

Heartbleed
HeartbleedHeartbleed
Heartbleedn|u - The Open Security Community
 
Heartbleed
Heartbleed Heartbleed
Heartbleed Shyam Bahadur Sunari Magar
 
The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed AttackShreyas Kothari
 
Pgp
PgpPgp
Pgpprecy02
 
Ssl https
Ssl httpsSsl https
Ssl httpsAndrada Boldis
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3Siddhartha Rao
 
HTTPS
HTTPSHTTPS
HTTPSR.K. University
 

Recommended

Heartbleed
HeartbleedHeartbleed
Heartbleedn|u - The Open Security Community
 
Heartbleed
Heartbleed Heartbleed
Heartbleed Shyam Bahadur Sunari Magar
 
The Heartbleed Attack
The Heartbleed AttackThe Heartbleed Attack
The Heartbleed AttackShreyas Kothari
 
Pgp
PgpPgp
Pgpprecy02
 
Ssl https
Ssl httpsSsl https
Ssl httpsAndrada Boldis
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3Siddhartha Rao
 
HTTPS
HTTPSHTTPS
HTTPSR.K. University
 
Https presentation
Https presentationHttps presentation
Https presentationpatel jatin
 
Block Cipher
Block CipherBlock Cipher
Block CipherBrandon Byungyong Jo
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164Thivya Devaraj
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
Symmetric and Asymmetric Encryption
Symmetric and Asymmetric EncryptionSymmetric and Asymmetric Encryption
Symmetric and Asymmetric EncryptionRapidSSLOnline.com
 
Cryptography
CryptographyCryptography
CryptographyAnandKaGe
 
Https
HttpsHttps
HttpsPooya Sagharchiha
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureAdarsh Patel
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Transport layer protocols : TCP and UDP
Transport layer protocols : TCP and UDPTransport layer protocols : TCP and UDP
Transport layer protocols : TCP and UDPKongu Engineering College, Perundurai, Erode
 
Cryptography
CryptographyCryptography
CryptographyVicky Kamboj
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tlsRana assad ali
 
Activity playfair cipher.pptx
Activity playfair cipher.pptxActivity playfair cipher.pptx
Activity playfair cipher.pptxkarthikaparthasarath
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography pptOECLIB Odisha Electronics Control Library
 
Condiciones Viaje Riviera Maya
Condiciones Viaje Riviera MayaCondiciones Viaje Riviera Maya
Condiciones Viaje Riviera MayaEventspmfactory
 
Services flyer 2011
Services flyer 2011Services flyer 2011
Services flyer 2011Jodie Andersen
 

More Related Content

What's hot

Https presentation
Https presentationHttps presentation
Https presentationpatel jatin
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)Kalpesh Kalekar
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164Thivya Devaraj
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
Symmetric and Asymmetric Encryption
Symmetric and Asymmetric EncryptionSymmetric and Asymmetric Encryption
Symmetric and Asymmetric EncryptionRapidSSLOnline.com
 
Cryptography
CryptographyCryptography
CryptographyAnandKaGe
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithmsRashmi Burugupalli
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureAdarsh Patel
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 

What's hot (20)

Https presentation
Https presentationHttps presentation
Https presentation
 
Block Cipher
Block CipherBlock Cipher
Block Cipher
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164
 
Ip security
Ip security Ip security
Ip security
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Symmetric and Asymmetric Encryption
Symmetric and Asymmetric EncryptionSymmetric and Asymmetric Encryption
Symmetric and Asymmetric Encryption
 
Cryptography
CryptographyCryptography
Cryptography
 
Https
HttpsHttps
Https
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
 
CMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signatureCMACs and MACS based on block ciphers, Digital signature
CMACs and MACS based on block ciphers, Digital signature
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Transport layer protocols : TCP and UDP
Transport layer protocols : TCP and UDPTransport layer protocols : TCP and UDP
Transport layer protocols : TCP and UDP
 
Cryptography
CryptographyCryptography
Cryptography
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 
Activity playfair cipher.pptx
Activity playfair cipher.pptxActivity playfair cipher.pptx
Activity playfair cipher.pptx
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography ppt
 

Viewers also liked

Condiciones Viaje Riviera Maya
Condiciones Viaje Riviera MayaCondiciones Viaje Riviera Maya
Condiciones Viaje Riviera MayaEventspmfactory
 
Iyonik bileşkler
Iyonik bileşklerIyonik bileşkler
Iyonik bileşklerTudoshikame
 
Credenciales emagine you agosto 2010
Credenciales emagine you agosto 2010Credenciales emagine you agosto 2010
Credenciales emagine you agosto 2010Gini Rute
 
Memoriaiesdosmarescentropreferenteaacc
MemoriaiesdosmarescentropreferenteaaccMemoriaiesdosmarescentropreferenteaacc
Memoriaiesdosmarescentropreferenteaaccantoniarebollocastejon
 
Study design slides week 3
Study design slides week 3Study design slides week 3
Study design slides week 3stanbridge
 
Storify - amplify the voices that matter
Storify - amplify the voices that matterStorify - amplify the voices that matter
Storify - amplify the voices that matterXavier Damman
 
Programa de gobierno copia2
Programa de gobierno copia2Programa de gobierno copia2
Programa de gobierno copia2somosnarino
 
Reglamento
ReglamentoReglamento
Reglamentojamezali
 
Hard sell v/s Soft Sell
Hard sell v/s Soft SellHard sell v/s Soft Sell
Hard sell v/s Soft SellWish Mrt'xa
 
Investigacion de accidentes (tasc)
Investigacion de accidentes (tasc)Investigacion de accidentes (tasc)
Investigacion de accidentes (tasc)oscarreyesnova
 
The French Revolution of 1789
The French Revolution of 1789The French Revolution of 1789
The French Revolution of 1789Tom Richey
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on HeartbleedShiva Sagar
 

Viewers also liked (17)

Condiciones Viaje Riviera Maya
Condiciones Viaje Riviera MayaCondiciones Viaje Riviera Maya
Condiciones Viaje Riviera Maya
 
Services flyer 2011
Services flyer 2011Services flyer 2011
Services flyer 2011
 
801 sub 1
801 sub 1801 sub 1
801 sub 1
 
Iyonik bileşkler
Iyonik bileşklerIyonik bileşkler
Iyonik bileşkler
 
Credenciales emagine you agosto 2010
Credenciales emagine you agosto 2010Credenciales emagine you agosto 2010
Credenciales emagine you agosto 2010
 
Memoriaiesdosmarescentropreferenteaacc
MemoriaiesdosmarescentropreferenteaaccMemoriaiesdosmarescentropreferenteaacc
Memoriaiesdosmarescentropreferenteaacc
 
Study design slides week 3
Study design slides week 3Study design slides week 3
Study design slides week 3
 
Storify - amplify the voices that matter
Storify - amplify the voices that matterStorify - amplify the voices that matter
Storify - amplify the voices that matter
 
Programa de gobierno copia2
Programa de gobierno copia2Programa de gobierno copia2
Programa de gobierno copia2
 
Reglamento
ReglamentoReglamento
Reglamento
 
Hard sell v/s Soft Sell
Hard sell v/s Soft SellHard sell v/s Soft Sell
Hard sell v/s Soft Sell
 
Investigacion de accidentes (tasc)
Investigacion de accidentes (tasc)Investigacion de accidentes (tasc)
Investigacion de accidentes (tasc)
 
B v palabras
B v palabrasB v palabras
B v palabras
 
L’obésité
L’obésitéL’obésité
L’obésité
 
Sikkim ppt
Sikkim ppt Sikkim ppt
Sikkim ppt
 
The French Revolution of 1789
The French Revolution of 1789The French Revolution of 1789
The French Revolution of 1789
 
Report on Heartbleed
Report on HeartbleedReport on Heartbleed
Report on Heartbleed
 

Similar to The Heartbleed Bug

How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationPankaj Rane
 
Heart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryHeart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryLorick Jain
 
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionComparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionCSCJournals
 
Ssl pinning and hsts header
Ssl pinning and hsts headerSsl pinning and hsts header
Ssl pinning and hsts headerSaleem M
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)kholis_mjd
 
Web technology-guide
Web technology-guideWeb technology-guide
Web technology-guideSrihari
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference Real Estate
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxJezer Arces
 
Heartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverseHeartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverseMohamed Hisham Ache
 
Heartbleed Bug
Heartbleed BugHeartbleed Bug
Heartbleed BugNIKHIL P L
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfHost It Smart
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amberRaghunath G
 

Similar to The Heartbleed Bug (20)

How to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstrationHow to exploit heartbleed vulnerability demonstration
How to exploit heartbleed vulnerability demonstration
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Heart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic libraryHeart bleed-OpenSSL crytographic library
Heart bleed-OpenSSL crytographic library
 
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionComparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
 
Http Vs Https .
Http Vs Https . Http Vs Https .
Http Vs Https .
 
Ssl pinning and hsts header
Ssl pinning and hsts headerSsl pinning and hsts header
Ssl pinning and hsts header
 
Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)Basic IT 2 (General IT Knowledge-2)
Basic IT 2 (General IT Knowledge-2)
 
Web technology-guide
Web technology-guideWeb technology-guide
Web technology-guide
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
HTTP vs HTTPS Difference
HTTP vs HTTPS Difference HTTP vs HTTPS Difference
HTTP vs HTTPS Difference
 
Web protocol.pptx
Web protocol.pptxWeb protocol.pptx
Web protocol.pptx
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptx
 
application layer
application layerapplication layer
application layer
 
Heartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverseHeartbleed Bug Flaw in Servers and its reverse
Heartbleed Bug Flaw in Servers and its reverse
 
Heartbleed Bug
Heartbleed BugHeartbleed Bug
Heartbleed Bug
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdf
 
Http_Protocol.pptx
Http_Protocol.pptxHttp_Protocol.pptx
Http_Protocol.pptx
 
Heartbleed
HeartbleedHeartbleed
Heartbleed
 
Heartbleed by-danish amber
Heartbleed by-danish amberHeartbleed by-danish amber
Heartbleed by-danish amber
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Shubhangi Sonawane
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfChris Hunter
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 

Recently uploaded (20)

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 

The Heartbleed Bug

  • 2. Contents Introduction to HTTP Why HTTP over SSL? Discovery of heartbleed OpenSSL heartbeat extension What exactly is bleeding? Protecting against heartbleed attacks A quick demo
  • 3. A typical HTTP communication • I would like to open a connection • GET <file location> • Display response • Close connection • OK • Send page or error message • OK Client Server
  • 4. Clear-text protocols When packages of data are sent out over the internet – a lot more can happen than you think!
  • 5. Need for encryption SSL/TLS Provides authentication, confidentiality and integrity. Asymmetric encryption for key exchange (Public and Private keys) Pre-shared secret key between the client and server SHARED secret key – ensures that the message is private even if it is intercepted. OpenSSL - open source implementation of SSL and TLS protocols
  • 6. Discovery of Heartbleed The bug was independently discovered by a team of security engineers (Riku,Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team on April 1, 2014 Massive SSL bug impacts Internet and its users According to Netcraft’s survey about 17.5% of SSL sites had heartbeat extension enabled (half a million) Affected versions - 1.0.1 and 1.0.2-beta including 1.0.1f and 1.0.2- beta1 (since March 2012) Apache and nginx servers typically run OpenSSL implementations
  • 7. SSL heartbeat SSL heartbeats are defined in RFC6520 Similar to Connection Keep-alive in HTTP They can be sent without authenticating with the server A heartbeat is a message that is sent to the server just so the server can send it back.This lets a client know that the server is still connected and listening.
  • 9. Heartbleed (CVE-2014-0160) The vulnerability lies in the implementation of Heartbeat The memory is allocated from the payload + padding which is a user controlled value. (Buffer over-read)
  • 11.
  • 12. So what if we can read the memory?
  • 13. Metasploit extract of memory dump
  • 14. Metasploit extract of memory dump
  • 16. What can we do about it? Remove the HeartBeat extension Upgrade to OpenSSL 1.0.1g Revocation of the old key pairs Force users to change their passwords User awareness