research-article

Open access

The Matter of Heartbleed

Authors:

Zakir Durumeric,

Jethro Beekman,

Nicolas Weaver,

Michael Bailey,

J. Alex HaldermanAuthors Info & Claims

IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

Pages 475 - 488

https://doi.org/10.1145/2663716.2663755

Published: 05 November 2014 Publication History

Abstract

The Heartbleed vulnerability took the Internet by surprise in April 2014. The vulnerability, one of the most consequential since the advent of the commercial Internet, allowed attackers to remotely read protected memory from an estimated 24--55% of popular HTTPS sites. In this work, we perform a comprehensive, measurement-based analysis of the vulnerability's impact, including (1) tracking the vulnerable population, (2) monitoring patching behavior over time, (3) assessing the impact on the HTTPS certificate ecosystem, and (4) exposing real attacks that attempted to exploit the bug. Furthermore, we conduct a large-scale vulnerability notification experiment involving 150,000 hosts and observe a nearly 50% increase in patching by notified hosts. Drawing upon these analyses, we discuss what went well and what went poorly, in an effort to understand how the technical community can respond more effectively to such events in the future.

References

[1]

Alexa Top 1,000,000 Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.

[2]

Bitcoin Core Version History. https://bitcoin.org/en/version-history.

[3]

Installing OpenDKIM. http://www.opendkim.org/INSTALL.

[4]

Telnet Server with SSL Encryption Support. https://packages.debian.org/stable/net/telnetd-ssl.

[5]

Install Ejabberd, Oct. 2004. http://www.ejabberd.im/tuto-install-ejabberd.

[6]

Cassandra Wiki - Internode Encryption, Nov. 2013. http://wiki.apache.org/cassandra/InternodeEncryption.

[7]

Android Platform Versions, Apr. 2014. https://developer.android.com/about/dashboards/index.html#Platform.

[8]

Apple Says iOS, OSX and "Key Web Services" Not Affected by Heartbleed Security Flaw, Apr. 2014. http://recode.net/2014/04/10/apple-says-ios-osx-and-key-web-services-not-affected-by-heartbleed-security-flaw/.

[9]

Heartbleed F.A.Q., 2014. https://www.startssl.com/?app=43.

[10]

The Heartbleed Hit List: The Passwords You Need to Change Right Now, Apr. 2014. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/.

[11]

HP Support Document c04249852, May 2014. http://goo.gl/AcUG8I.

[12]

Is Openfire Affected by Heartbleed?, Apr. 2014. https://community.igniterealtime.org/thread/52272.

[13]

June 2014 Web Server Survey, 2014. http://news.netcraft.com/archives/2014/06/06/june-2014-web-server-survey.html.

[14]

NGINX and the Heartbleed Vulnerability, Apr. 2014. http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/.

[15]

Official BTCJam Update, Apr. 2014. http://blog.btcjam.com/post/82158642922/official-btcjam-update.

[16]

SSL Pulse, Apr. 2014. https://www.trustworthyinternet.org/ssl-pulse/.

[17]

Tomcat Heartbleed, Apr. 2014. https://wiki.apache.org/tomcat/Security/Heartbleed.

[18]

Wikimedia's Response to the "Heartbleed" Security Vulnerability, Apr. 2014. https://blog.wikimedia.org/2014/04/10/wikimedias-response-to-the-heartbleed-security-vulnerability/.

[19]

Adobe. Heartbleed Update, Apr. 2014. http://blogs.adobe.com/psirt/?p=1085.

[20]

M. Al-Bassam. Top Alexa 10,000 Heartbleed Scan-April 14, 2014. https://github.com/musalbas/heartbleed-masstest/blob/94cd9b6426311f0d20539e696496ed3d7bdd2a94/top1000.txt.

[21]

Alienth. We Recommend that You Change Your Reddit Password, Apr. 2014. http://www.reddit.com/r/announcements/comments/231hl7/we_recommend_that_you_change_your_reddit_password/.

[22]

J. Amann, M. Vallentin, S. Hall, and R. Sommer. Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. Technical Report TR-12-014, ICSI, Nov. 2012.

[23]

AWeber Communications. Heartbleed: We're Not Affected. Here's What You Can Do To Protect Yourself, Apr. 2014. http://blog.aweber.com/articles-tips/heartbleed-how-to-protect-yourself.htm.

[24]

Bitcoin. OpenSSL Heartbleed Vulnerability, Apr. 2014. https://bitcoin.org/en/alert/2014-04--11-heartbleed.

[25]

Bro Network Security Monitor Web Site. http://www.bro.org.

[26]

N. Craver. Is Stack Exchange Safe from Heartbleed?, Apr. 2014. http://meta.stackexchange.com/questions/228758/is-stack-exchange-safe-from-heartbleed.

[27]

R. Dingledine. Tor OpenSSL Bug CVE-2014-0160, Apr. 2014. https://blog.torproject.org/blog/openssl-bug-cve-2014-0160.

[28]

Dropbox Support. https://twitter.com/dropbox_support/status/453673783480832000, Apr. 2014. Quick Update on Heartbleed: We've Patched All of Our User-Facing Services & Will Continue to Work to Make Sure Your Stuff is Always Safe.

[29]

Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS Certificate Ecosystem. In Proc. ACM Internet Measurement Conference, Oct. 2013.

Digital Library

[30]

Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-Wide Scanning and its Security Applications. In Proc. USENIX Security Symposium, Aug. 2013.

Digital Library

[31]

A. Ellis. Akamai heartbleed Update (V3), Apr. 2014. https://blogs.akamai.com/2014/04/heartbleed-update-v3.html.

[32]

A. S. Foundation. CouchDB and the Heartbleed SSL/TLS Vulnerability, Apr. 2014. https://blogs.apache.org/couchdb/entry/couchdb_and_the_heartbleed_ssl.

[33]

GoDaddy. OpenSSL Heartbleed: We've Patched Our Servers, Apr. 2014. http://support.godaddy.com/godaddy/openssl-and-heartbleed-vulnerabilities/.

[34]

L. Grangeia. Heartbleed, Cupid and Wireless, May 2014. http://www.sysvalue.com/en/heartbleed-cupid-wireless/.

[35]

S. Grant. The Bleeding Hearts Club: Heartbleed Recovery for System Administrators, Apr. 2014. https://www.eff.org/deeplinks/2014/04/bleeding-hearts-club-heartbleed-recovery-system-administrators.

[36]

B. Grubb. Heartbleed Disclosure Timeline: Who Knew What and When. Apr. 2014. http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html.

[37]

L. Haisley. OpenSSL Crash with STARTTLS in Courier, May 2014. http://sourceforge.net/p/courier/mailman/message/32298514/.

[38]

IBM. OpenSSL Heartbleed (CVE-2014-0160), May 2014. https://www-304.ibm.com/connections/blogs/PSIRT/entry/openssl_heartbleed_cve_2014_0160.

[39]

Infusionsoft. What You Need to Know About Heartbleed, Apr. 2014. http://blog.infusionsoft.com/company-news/need-know-heartbleed/.

[40]

Internal Revenue Service. IRS Statement on "Heartbleed" and Filing Season, Apr. 2014. http://www.irs.gov/uac/Newsroom/IRS-Statement-on-Heartbleed-and-Filing-Season.

[41]

W. Kamishlian and R. Norris. Installing OpenSSL for Jabberd 2. http://www.jabberdoc.org/app_openssl.html.

[42]

Litespeed Technologies. LSWS 4.2.9 Patches Heartbleed Bug, Apr. 2014. http://www.litespeedtech.com/support/forum/threads/lsws-4--2--9-patches-heartbleed-bug.8504/.

[43]

S. Marquess. Of Money, Responsibility, and Pride, Apr. 2014. http://veridicalsystems.com/blog/of-money-responsibility-and-pride/.

[44]

M. Masnick. Shameful Security: StartCom Charges People To Revoke SSL Certs Vulnerable to Heartbleed, Apr. 2014. http://www.techdirt.com/articles/20140409/11442426859/shameful-security-startcom-charges-people-to-revoke-ssl-certs-vulnerable-to-heartbleed.shtml.

[45]

N. Mehta and Codenomicon. The Heartbleed Bug. http://heartbleed.com/.

[46]

Microsoft. Microsoft Services unaffected by OpenSSL Heartbleed vulnerability, Apr. 2014. http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx.

[47]

MongoDB. MongoDB Response on Heartbleed OpenSSL Vulnerability, Apr. 2014. http://www.mongodb.com/blog/post/mongodb-response-heartbleed-openssl-vulnerability.

[48]

K. Murchison. Heartbleed Warning - Cyrus Admin Passowrd Leak!, Apr. 2014. http://lists.andrew.cmu.edu/pipermail/info-cyrus/2014-April/037351.html.

[49]

E. Ng. Tunnel Fails after OpenSSL Patch, Apr. 2014. https://lists.openswan.org/pipermail/users/2014-April/022934.html.

[50]

M. O'Connor. Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed Bug), Apr. 2014. http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html.

[51]

P. Ondruska. Does OpenSSL CVE-2014-0160 Effect Jetty Users', Apr. 2014. http://dev.eclipse.org/mhonarc/lists/jetty-users/msg04624.html.

Cited By

Schreiber R(2024)Organizational Influence on Security Development in Open-Source Software ProjectsInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.35665915:1(1-20)Online publication date: 15-Oct-2024
https://dl.acm.org/doi/10.4018/IJSSSP.356659
Potter LPalmer X(2024)Different Visions From BIOSViewChange Dynamics in Healthcare, Technological Innovations, and Complex Scenarios10.4018/979-8-3693-3555-0.ch008(144-157)Online publication date: 8-Mar-2024
https://doi.org/10.4018/979-8-3693-3555-0.ch008
Schueller WWachs J(2024)Modeling interconnected social and technical risks in open source software ecosystemsCollective Intelligence10.1177/263391372412319123:1Online publication date: 15-Feb-2024
https://doi.org/10.1177/26339137241231912
Show More Cited By

Index Terms

The Matter of Heartbleed
1. Networks
  1. Network services

Recommendations

Analysis of SSL certificate reissues and revocations in the wake of heartbleed
IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

Central to the secure operation of a public key infrastructure (PKI) is the ability to revoke certificates. While much of users' security rests on this process taking place quickly, in practice, revocation typically requires a human to decide to reissue ...
"Heartbleed": a misuse pattern for the OpenSSL implementation of the SSL/TLS protocol
PLoP '16: Proceedings of the 23rd Conference on Pattern Languages of Programs

Transport Layer Security (TLS) is the successor of the Secure Sockets Layer (SSL) protocol, a cryptographic protocol that provides a secure communication channel between a client and a server. Its secure communication prevents an attacker from ...
A Programmatic Solution to Stop Heartbleed Bug Attack
Big Data Analytics in Astronomy, Science, and Engineering
Abstract
A flaw was found in the Open SSL cryptography library in April 2014, known as the Heartbleed vulnerability that was implemented in the Transport Layer Security and Secure Socket Layer Protocols. This bug allowed the attacker to steal sensitive ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

November 2014

524 pages

ISBN:9781450332132

DOI:10.1145/2663716

General Chair:
Carey Williamson
University of Calgary, Canada
,
Program Chairs:
Aditya Akella
University of Wisconsin - Madison, USA
,
Nina Taft
Google, USA

Copyright © 2014 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
SIGCOMM: ACM Special Interest Group on Data Communication
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 November 2014

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IMC '14

Sponsor:

SIGMETRICS
SIGCOMM
USENIX Assoc

IMC '14: Internet Measurement Conference

November 5 - 7, 2014

BC, Vancouver, Canada

Acceptance Rates

IMC '14 Paper Acceptance Rate 32 of 103 submissions, 31%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

439
Total Citations
View Citations
10,433
Total Downloads

Downloads (Last 12 months)1,508
Downloads (Last 6 weeks)264

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Schreiber R(2024)Organizational Influence on Security Development in Open-Source Software ProjectsInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.35665915:1(1-20)Online publication date: 15-Oct-2024
https://dl.acm.org/doi/10.4018/IJSSSP.356659
Potter LPalmer X(2024)Different Visions From BIOSViewChange Dynamics in Healthcare, Technological Innovations, and Complex Scenarios10.4018/979-8-3693-3555-0.ch008(144-157)Online publication date: 8-Mar-2024
https://doi.org/10.4018/979-8-3693-3555-0.ch008
Schueller WWachs J(2024)Modeling interconnected social and technical risks in open source software ecosystemsCollective Intelligence10.1177/263391372412319123:1Online publication date: 15-Feb-2024
https://doi.org/10.1177/26339137241231912
Stevens KErdemir MZhang HKim TPearce P(2024)BluePrint: Automatic Malware Signature Generation for Internet ScanningProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678923(197-214)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678923
Nguyen ALe TBabar M(2024)Automated Code-centric Software Vulnerability Assessment: How Far Are We? An Empirical Study in C/C++Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686670(72-83)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686670
Iannone ESellitto GIaccarino EFerrucci FDe Lucia APalomba F(2024)Early and Realistic Exploitability Prediction of Just-Disclosed Software Vulnerabilities: How Reliable Can It Be?ACM Transactions on Software Engineering and Methodology10.1145/365444333:6(1-41)Online publication date: 27-Jun-2024
https://dl.acm.org/doi/10.1145/3654443
Cheng RWang RZimmermann TFord D(2024)“It would work for me too”: How Online Communities Shape Software Developers’ Trust in AI-Powered Code Generation ToolsACM Transactions on Interactive Intelligent Systems10.1145/365199014:2(1-39)Online publication date: 9-Mar-2024
https://dl.acm.org/doi/10.1145/3651990
Liu JShen YXu YSun HShi HJiang YDe V(2024)Effectively Sanitizing Embedded Operating SystemsProceedings of the 61st ACM/IEEE Design Automation Conference10.1145/3649329.3658490(1-6)Online publication date: 23-Jun-2024
https://dl.acm.org/doi/10.1145/3649329.3658490
Landsberg TDietrich CLohmann D(2024)Should I Bother? Fast Patch Filtering for Statically-Configured Software VariantsProceedings of the 28th ACM International Systems and Software Product Line Conference10.1145/3646548.3672585(12-23)Online publication date: 2-Sep-2024
https://dl.acm.org/doi/10.1145/3646548.3672585
Durumeric ZAdrian DStephens PWustrow EHalderman JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Ten Years of ZMapProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689012(139-148)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689012
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents