Heartbleed: OpenSSL Flaw Exposes Private Keys of Two-Thirds of the Web
Codenomicon / Google Security
What happened
A missing bounds check in OpenSSL's heartbeat extension (CVE-2014-0160) allowed any attacker to read 64KB of server memory per request, potentially exposing private SSL keys, passwords, and session tokens. An estimated two-thirds of HTTPS servers were vulnerable at disclosure.[1]
What went wrong
A developer added a heartbeat feature to OpenSSL without implementing a bounds check on the user-supplied length field, allowing callers to request more data than they sent. The bug was present for two years before discovery.[1]
Lesson learned
Memory-safe languages eliminate entire classes of vulnerabilities like buffer over-reads. Critical open-source libraries need dedicated security audits — "many eyes" does not automatically catch subtle bugs in low-level C code.
Est. value burned
~$500M
industry-wide remediation estimate
Sources
- [1] Codenomicon / Google Security Heartbleed: OpenSSL Flaw Exposes Private Keys of Two-Thirds of the Web