research-article

Open access

The Matter of Heartbleed

Authors:

Zakir Durumeric,

Jethro Beekman,

Nicolas Weaver,

Michael Bailey,

J. Alex HaldermanAuthors Info & Claims

IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

Pages 475 - 488

https://doi.org/10.1145/2663716.2663755

Published: 05 November 2014 Publication History

Abstract

The Heartbleed vulnerability took the Internet by surprise in April 2014. The vulnerability, one of the most consequential since the advent of the commercial Internet, allowed attackers to remotely read protected memory from an estimated 24--55% of popular HTTPS sites. In this work, we perform a comprehensive, measurement-based analysis of the vulnerability's impact, including (1) tracking the vulnerable population, (2) monitoring patching behavior over time, (3) assessing the impact on the HTTPS certificate ecosystem, and (4) exposing real attacks that attempted to exploit the bug. Furthermore, we conduct a large-scale vulnerability notification experiment involving 150,000 hosts and observe a nearly 50% increase in patching by notified hosts. Drawing upon these analyses, we discuss what went well and what went poorly, in an effort to understand how the technical community can respond more effectively to such events in the future.

References

[1]

Alexa Top 1,000,000 Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.

[2]

Bitcoin Core Version History. https://bitcoin.org/en/version-history.

[3]

Installing OpenDKIM. http://www.opendkim.org/INSTALL.

[4]

Telnet Server with SSL Encryption Support. https://packages.debian.org/stable/net/telnetd-ssl.

[5]

Install Ejabberd, Oct. 2004. http://www.ejabberd.im/tuto-install-ejabberd.

[6]

Cassandra Wiki - Internode Encryption, Nov. 2013. http://wiki.apache.org/cassandra/InternodeEncryption.

[7]

Android Platform Versions, Apr. 2014. https://developer.android.com/about/dashboards/index.html#Platform.

[8]

Apple Says iOS, OSX and "Key Web Services" Not Affected by Heartbleed Security Flaw, Apr. 2014. http://recode.net/2014/04/10/apple-says-ios-osx-and-key-web-services-not-affected-by-heartbleed-security-flaw/.

[9]

Heartbleed F.A.Q., 2014. https://www.startssl.com/?app=43.

[10]

The Heartbleed Hit List: The Passwords You Need to Change Right Now, Apr. 2014. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/.

[11]

HP Support Document c04249852, May 2014. http://goo.gl/AcUG8I.

[12]

Is Openfire Affected by Heartbleed?, Apr. 2014. https://community.igniterealtime.org/thread/52272.

[13]

June 2014 Web Server Survey, 2014. http://news.netcraft.com/archives/2014/06/06/june-2014-web-server-survey.html.

[14]

NGINX and the Heartbleed Vulnerability, Apr. 2014. http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/.

[15]

Official BTCJam Update, Apr. 2014. http://blog.btcjam.com/post/82158642922/official-btcjam-update.

[16]

SSL Pulse, Apr. 2014. https://www.trustworthyinternet.org/ssl-pulse/.

[17]

Tomcat Heartbleed, Apr. 2014. https://wiki.apache.org/tomcat/Security/Heartbleed.

[18]

Wikimedia's Response to the "Heartbleed" Security Vulnerability, Apr. 2014. https://blog.wikimedia.org/2014/04/10/wikimedias-response-to-the-heartbleed-security-vulnerability/.

[19]

Adobe. Heartbleed Update, Apr. 2014. http://blogs.adobe.com/psirt/?p=1085.

[20]

M. Al-Bassam. Top Alexa 10,000 Heartbleed Scan-April 14, 2014. https://github.com/musalbas/heartbleed-masstest/blob/94cd9b6426311f0d20539e696496ed3d7bdd2a94/top1000.txt.

[21]

Alienth. We Recommend that You Change Your Reddit Password, Apr. 2014. http://www.reddit.com/r/announcements/comments/231hl7/we_recommend_that_you_change_your_reddit_password/.

[22]

J. Amann, M. Vallentin, S. Hall, and R. Sommer. Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. Technical Report TR-12-014, ICSI, Nov. 2012.

[23]

AWeber Communications. Heartbleed: We're Not Affected. Here's What You Can Do To Protect Yourself, Apr. 2014. http://blog.aweber.com/articles-tips/heartbleed-how-to-protect-yourself.htm.

[24]

Bitcoin. OpenSSL Heartbleed Vulnerability, Apr. 2014. https://bitcoin.org/en/alert/2014-04--11-heartbleed.

[25]

Bro Network Security Monitor Web Site. http://www.bro.org.

[26]

N. Craver. Is Stack Exchange Safe from Heartbleed?, Apr. 2014. http://meta.stackexchange.com/questions/228758/is-stack-exchange-safe-from-heartbleed.

[27]

R. Dingledine. Tor OpenSSL Bug CVE-2014-0160, Apr. 2014. https://blog.torproject.org/blog/openssl-bug-cve-2014-0160.

[28]

Dropbox Support. https://twitter.com/dropbox_support/status/453673783480832000, Apr. 2014. Quick Update on Heartbleed: We've Patched All of Our User-Facing Services & Will Continue to Work to Make Sure Your Stuff is Always Safe.

[29]

Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS Certificate Ecosystem. In Proc. ACM Internet Measurement Conference, Oct. 2013.

Digital Library

[30]

Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-Wide Scanning and its Security Applications. In Proc. USENIX Security Symposium, Aug. 2013.

Digital Library

[31]

A. Ellis. Akamai heartbleed Update (V3), Apr. 2014. https://blogs.akamai.com/2014/04/heartbleed-update-v3.html.

[32]

A. S. Foundation. CouchDB and the Heartbleed SSL/TLS Vulnerability, Apr. 2014. https://blogs.apache.org/couchdb/entry/couchdb_and_the_heartbleed_ssl.

[33]

GoDaddy. OpenSSL Heartbleed: We've Patched Our Servers, Apr. 2014. http://support.godaddy.com/godaddy/openssl-and-heartbleed-vulnerabilities/.

[34]

L. Grangeia. Heartbleed, Cupid and Wireless, May 2014. http://www.sysvalue.com/en/heartbleed-cupid-wireless/.

[35]

S. Grant. The Bleeding Hearts Club: Heartbleed Recovery for System Administrators, Apr. 2014. https://www.eff.org/deeplinks/2014/04/bleeding-hearts-club-heartbleed-recovery-system-administrators.

[36]

B. Grubb. Heartbleed Disclosure Timeline: Who Knew What and When. Apr. 2014. http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html.

[37]

L. Haisley. OpenSSL Crash with STARTTLS in Courier, May 2014. http://sourceforge.net/p/courier/mailman/message/32298514/.

[38]

IBM. OpenSSL Heartbleed (CVE-2014-0160), May 2014. https://www-304.ibm.com/connections/blogs/PSIRT/entry/openssl_heartbleed_cve_2014_0160.

[39]

Infusionsoft. What You Need to Know About Heartbleed, Apr. 2014. http://blog.infusionsoft.com/company-news/need-know-heartbleed/.

[40]

Internal Revenue Service. IRS Statement on "Heartbleed" and Filing Season, Apr. 2014. http://www.irs.gov/uac/Newsroom/IRS-Statement-on-Heartbleed-and-Filing-Season.

[41]

W. Kamishlian and R. Norris. Installing OpenSSL for Jabberd 2. http://www.jabberdoc.org/app_openssl.html.

[42]

Litespeed Technologies. LSWS 4.2.9 Patches Heartbleed Bug, Apr. 2014. http://www.litespeedtech.com/support/forum/threads/lsws-4--2--9-patches-heartbleed-bug.8504/.

[43]

S. Marquess. Of Money, Responsibility, and Pride, Apr. 2014. http://veridicalsystems.com/blog/of-money-responsibility-and-pride/.

[44]

M. Masnick. Shameful Security: StartCom Charges People To Revoke SSL Certs Vulnerable to Heartbleed, Apr. 2014. http://www.techdirt.com/articles/20140409/11442426859/shameful-security-startcom-charges-people-to-revoke-ssl-certs-vulnerable-to-heartbleed.shtml.

[45]

N. Mehta and Codenomicon. The Heartbleed Bug. http://heartbleed.com/.

[46]

Microsoft. Microsoft Services unaffected by OpenSSL Heartbleed vulnerability, Apr. 2014. http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx.

[47]

MongoDB. MongoDB Response on Heartbleed OpenSSL Vulnerability, Apr. 2014. http://www.mongodb.com/blog/post/mongodb-response-heartbleed-openssl-vulnerability.

[48]

K. Murchison. Heartbleed Warning - Cyrus Admin Passowrd Leak!, Apr. 2014. http://lists.andrew.cmu.edu/pipermail/info-cyrus/2014-April/037351.html.

[49]

E. Ng. Tunnel Fails after OpenSSL Patch, Apr. 2014. https://lists.openswan.org/pipermail/users/2014-April/022934.html.

[50]

M. O'Connor. Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed Bug), Apr. 2014. http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html.

[51]

P. Ondruska. Does OpenSSL CVE-2014-0160 Effect Jetty Users', Apr. 2014. http://dev.eclipse.org/mhonarc/lists/jetty-users/msg04624.html.

Cited By

Sadot DAttia IBalasiano OJonas IYalinevich YAlin GKeller EShalom HWohlgemuth E(2025)Photonic Layer Security in High-Speed Optical CommunicationsJournal of Lightwave Technology10.1109/JLT.2024.352090043:4(1671-1677)Online publication date: 15-Feb-2025
https://doi.org/10.1109/JLT.2024.3520900
Li SSato H(2025)SBD: Securing Safe Rust Automatically From Unsafe RustScience of Computer Programming10.1016/j.scico.2025.103281(103281)Online publication date: Feb-2025
https://doi.org/10.1016/j.scico.2025.103281
Wilson JAsplund M(2025)Analysing TLS Implementations Using Full-Message Symbolic ExecutionSecure IT Systems10.1007/978-3-031-79007-2_15(283-302)Online publication date: 29-Jan-2025
https://doi.org/10.1007/978-3-031-79007-2_15
Show More Cited By

Index Terms

The Matter of Heartbleed
1. Networks
  1. Network services

Recommendations

Analysis of SSL certificate reissues and revocations in the wake of heartbleed
IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

Central to the secure operation of a public key infrastructure (PKI) is the ability to revoke certificates. While much of users' security rests on this process taking place quickly, in practice, revocation typically requires a human to decide to reissue ...
"Heartbleed": a misuse pattern for the OpenSSL implementation of the SSL/TLS protocol
PLoP '16: Proceedings of the 23rd Conference on Pattern Languages of Programs

Transport Layer Security (TLS) is the successor of the Secure Sockets Layer (SSL) protocol, a cryptographic protocol that provides a secure communication channel between a client and a server. Its secure communication prevents an attacker from ...
A Programmatic Solution to Stop Heartbleed Bug Attack
Big Data Analytics in Astronomy, Science, and Engineering
Abstract
A flaw was found in the Open SSL cryptography library in April 2014, known as the Heartbleed vulnerability that was implemented in the Transport Layer Security and Secure Socket Layer Protocols. This bug allowed the attacker to steal sensitive ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

November 2014

524 pages

ISBN:9781450332132

DOI:10.1145/2663716

General Chair:
Carey Williamson
University of Calgary, Canada
,
Program Chairs:
Aditya Akella
University of Wisconsin - Madison, USA
,
Nina Taft
Google, USA

Copyright © 2014 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
SIGCOMM: ACM Special Interest Group on Data Communication
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 November 2014

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IMC '14

Sponsor:

SIGMETRICS
SIGCOMM
USENIX Assoc

IMC '14: Internet Measurement Conference

November 5 - 7, 2014

BC, Vancouver, Canada

Acceptance Rates

IMC '14 Paper Acceptance Rate 32 of 103 submissions, 31%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

456
Total Citations
View Citations
10,814
Total Downloads

Downloads (Last 12 months)1,465
Downloads (Last 6 weeks)192

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sadot DAttia IBalasiano OJonas IYalinevich YAlin GKeller EShalom HWohlgemuth E(2025)Photonic Layer Security in High-Speed Optical CommunicationsJournal of Lightwave Technology10.1109/JLT.2024.352090043:4(1671-1677)Online publication date: 15-Feb-2025
https://doi.org/10.1109/JLT.2024.3520900
Li SSato H(2025)SBD: Securing Safe Rust Automatically From Unsafe RustScience of Computer Programming10.1016/j.scico.2025.103281(103281)Online publication date: Feb-2025
https://doi.org/10.1016/j.scico.2025.103281
Wilson JAsplund M(2025)Analysing TLS Implementations Using Full-Message Symbolic ExecutionSecure IT Systems10.1007/978-3-031-79007-2_15(283-302)Online publication date: 29-Jan-2025
https://doi.org/10.1007/978-3-031-79007-2_15
Christou GVasiliadis GZarras AIoannidis S(2025)iVault: Architectural Code Concealing Techniques to Protect Cryptographic KeysEmbedded Computer Systems: Architectures, Modeling, and Simulation10.1007/978-3-031-78380-7_13(152-164)Online publication date: 28-Jan-2025
https://doi.org/10.1007/978-3-031-78380-7_13
Pal PAtighetchi M(2025)Adaptive Cyber DefenseEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1773(25-30)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_1773
Ethembabaoglu Avan Wegberg RZhauniarovich Yvan Eeten MBalzarotti DXu W(2024)The unpatchablesProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699294(7049-7066)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699294
Williams GErdemir MHsu ABhat SBhaskar ALi FPearce PBalzarotti DXu W(2024)6SENSEProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699028(2281-2298)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699028
Yang FIm BHuang WKaoudis KVahldiek-Oberwagner ATsai CDautenhahn NBalzarotti DXu W(2024)EndokernelProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698909(145-162)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698909
Jacobs AVolckaert SDoupé AMilburn A(2024)Not quite writeProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696946(171-187)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696933.3696946
Schreiber R(2024)Organizational Influence on Security Development in Open-Source Software ProjectsInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.35665915:1(1-20)Online publication date: 15-Oct-2024
https://dl.acm.org/doi/10.4018/IJSSSP.356659
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten