Heartbleed

Heartbleed is a security hole in OpenSSL that was discovered by the Finnish security firm Codenomicon and publicized on April 7, 2014. OpenSSL is the encryption technology used to create secure website connections over HTTPS, establish VPNs, and encrypt several other protocols. Since OpenSSL is used by roughly two-thirds of web servers, the vulnerability is considered one of the most significant security holes discovered since the beginning of the web.

How does Heartbleed work?

The Heartbleed exploit takes advantage of the initial communication between the client and server. This preliminary step is commonly called a "handshake," though OpenSSL provides a variation called a "heartbeat." The heartbeat is used to establish a secure connection, but the data transmitted during the heartbeat is not sent securely.

By sending false information to a server, a hacker can retrieve 64 kilobyte chunks of data from the server's cache. While this is a small amount of data, it is enough to contain a username, password, or other confidential information. By making several requests in a row, a hacker can potentially capture large amounts of private data cached in a server's memory.

The Heartbleed bug is specific to OpenSSL 1.0.1 through 1.0.1f and version 1.0.2-beta1. Other versions of OpenSSL and other types of TLS (transport layer security) implementations are not affected. After the bug was made known on April 7, many web servers were patched immediately with version 1.0.1g. However, it is unknown how many servers were affected and how many still are using the vulnerable version of OpenSSL.

How does Heartbleed affect me?

It is unlikely that you are directly affected by the Heartbleed bug. While the security hole went undetected for two years, there is little evidence that the exploit has been widely used. Still, to be safe, you can protect yourself by updating your passwords for website logins, email accounts, and other online services.

Updated April 11, 2014 by Per C.

quizTest Your Knowledge

Which of the following best describes graymail?

A
It is an email received with no from address.
0%
B
It is an email that never reached its recipient.
0%
C
It is an unwanted email, but not considered spam.
0%
D
It is a message sent in plain text instead of HTML.
0%
Correct! Incorrect!     View the Graymail definition.
More Quizzes →

The Tech Terms Computer Dictionary

The definition of Heartbleed on this page is an original definition written by the TechTerms.com team. If you would like to reference this page or cite this definition, please use the green citation links above.

The goal of TechTerms.com is to explain computer terminology in a way that is easy to understand. We strive for simplicity and accuracy with every definition we publish. If you have feedback about this definition or would like to suggest a new technical term, please contact us.

Sign up for the free TechTerms Newsletter

How often would you like to receive an email?

You can unsubscribe or change your frequency setting at any time using the links available in each email.

Questions? Please contact us.