Heartbleed – A security bug in the OpenSSL cryptography library. OpenSSL is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited whether the party using a vulnerable OpenSSL instance for TLS is a server or a client.
Heartbleed results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, the heartbeat being the basis for the bug’s name. The vulnerability is classified as a buffer over-read, a situation where software allows more data to be read than should be allowed.
A fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug “catastrophic”. Forbes cybersecurity columnist Joseph Steinberg wrote, “Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.”