Click here to Skip to main content
12,821,198 members (37,593 online)
Click here to Skip to main content
Add your own
alternative version

Tagged as


4 bookmarked
Posted 13 Apr 2014

What is Heartbleed Bug and Its Solutions?

, 13 Apr 2014 CPOL
Rate this:
Please Sign up or sign in to vote.
This tip describes what exactly is Heartbleed bug, how to exploit it and solutions of this bug.


Since the last few days, Heartbleed trending on the internet and saying to the internet, I am evil. People are calling this bug as "Biggest Security Threat" to the internet. Some Websites called this bug "Catastrophic".

I was gawked to know that I was not safe since 2011 December since OpneSSL included Heartbeat Extension.


This heartbleed bug is on the internet since 2011 December and it got fixed a week ago. First, it was found by Google Security team member NEEL MEHTA and a software firm called CODENOMICON. Codenomicon took the initiative about this bug and created a website for the information and solution of this bug, i.e.,

Before diving into HeartBleed, I would like to tell you about why we need SSL (Secure Socket Layer) also known as TSL (Transport Security Layer).

Usually, we send the password, personal details, credit card details, selfie pics, social media posts over the internet .

To encrypt such details, we used HTTPS. To ensure any malicious person cannot intercept these details, we use OpenSSL, which is an open source software for the implementation of SSL on the web.

But all the SSL implemented HeartBeat extensions are vulnerable to HeartBleed. Through HeartBeat extension attacker can read the client/server memory (64KB at a time) .

What is Heartbeat Extension?

OpenSSL introduced an extension Heartbeat to keep the session alive for a longer time and to avoid reestablishment of sessions. Heartbeat introduced in OpenSSL with its 1.0.1 build release as defined in the RFC 6520 TLS/DTLS Heartbeat Extension. Heartbeat messages can be sent without authenticating with the server. For every request, there might be a Heartbeatrequest and a Heartbeatresponse.

What is Heartbleed?

YAY, you got the nerve - "Vulnerability in Hearbeat causes Heartbleed".

Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

Are You Heartbleed Vulnurable ?

People have created the malicious script for heartbeat request and created many online checkers. Following are the websites where you can test whether your website is Heartbleed vulnerable or not.

How to Exploit Heartbleed Attack?

There are many available ways to exploit Heartbleed. Everyone has their proof of concepts.

Some of the ways that I liked are listed below:

Basically, using the idea of Heartbeat, a client can send a Heartbeatrequest and the server will have to respond with Heartbeatresponse.

The total length of a HeartbeatMessage(request/response) canNOT exceed 2^14 or max_fragment_length when negotiated as defined in [RFC6066]. So we are only able to leak 64 KB of memory and that could easily have usernames/password or any random information.

Which OpenSSL Versions are Vulnerable and Who is vulnerable to Heartbleed ?

Heartbleed is only exploited where vulnerable OpenSSL software has been installed. Vulnerable versions are:

  • 1.0.1
  • 1.0.1a,
  • 1.0.1b,
  • 1.0.1c,
  • 1.0.1d,
  • 1.0.1e,
  • 1.0.1f,
  • 1.0.2-beta1
  • OpenSSL is installed mostly on the Apache servers and nginx servers. According to Netcraft, half a million trusted websites are vulnerable to this Heartbleed Bug. Image Courtsey Netcraft : LINK

    Are Windows Server Safe ?

    Being a .NET developer, this is the first thing that came into my mind. Are the websites developed by me and deployed on the Windows server using IIS safe?

    According to Microsoft, they do not include OpenSSL and are not vulnerable to this Heartbleed. Microsoft has their own encryption component called SChannel (Abbreviated as Secure Channel). But those clients which are running softwares on OpenSSL instead of Schannel are vulnerable to this threat.

Solutions to Prevent Heartbleed Attack

Upgrade Your OpenSSL

Apply an upgrade to OpenSSL 1.0.1g. Contact your software vendor to apply an update for this.

Things to remember:

  1. Regenerate your secret keys (There might be a possibility that attacker already hacked your current secret key).
  2. Ask your users to change the password (I have received the official mail request from tumblr to change password).

Disable Heartbeat from Current Installed SSL

Steps to do it:

  1. Recompile your OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.
  2. Restart your Apache and nginx server to effect the above command.

I hope you liked this simple and straightforward article. I have a lot of insight about this bug. We can have a healthy discussion here regarding this bug.

References and Further Readings


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Sarvesh Kushwaha
Software Developer
India India
I do believe life is to help others ... So here i am .. in my spare time i learn new things of programming and try to help people with my knowledge .
I'm an energetic, self-motivated and hard-working Developer and Information Technology Professional with experience in projects, website design and development.

Visit My Technical Blog

You may also be interested in...


Comments and Discussions

Questionmy vote of 5 Pin
Govindaraj Rangaraj13-Apr-14 8:58
memberGovindaraj Rangaraj13-Apr-14 8:58 
AnswerRe: my vote of 5 Pin
Sarvesh Kushwaha13-Apr-14 12:01
memberSarvesh Kushwaha13-Apr-14 12:01 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.170308.1 | Last Updated 13 Apr 2014
Article Copyright 2014 by Sarvesh Kushwaha
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid