LOGBOOK

HELP

Quiz Entry - updated: 2026.06.26

What was Heartbleed (CVE-2014-0160) and why was it so damaging?

A read-overflow bug in OpenSSL's TLS heartbeat extension that let any attacker read up to 64 KB of server memory per request — silently, with no log entries.

The heartbeat extension lets a client send "are you still there? echo back N bytes saying X" and the server replies with N bytes. OpenSSL didn't check that the client actually sent the N bytes it claimed — it just copied N bytes out of the server's memory and sent them back.

What was in that memory? Whatever happened to be near the TLS connection state: private keys, session tokens, passwords, decrypted request bodies, email contents.

Why it was a crisis:

  • OpenSSL was running on ~17% of the public web at the time.
  • No log entry was created — you could not tell after the fact if your server's keys had been stolen.
  • Every site had to assume keys were compromised → mass certificate revocation and reissuance.
  • The bug had been in production for ~2 years before disclosure.

Lessons:

  • A memory-safety bug in a tiny corner of a security library can compromise everything the library was supposed to protect.
  • "It compiles and the tests pass" is not the same as "it's secure."
  • Memory-safe languages (or formally verified TLS stacks like Rustls) eliminate this entire class of vulnerability.

Tip: The xkcd cartoon (#1354) is the clearest explanation ever drawn. Worth bookmarking.

From Quiz: ISF / Web Application Security Basics | Updated: Jun 26, 2026