HeartBleed Attack
In April 2014,all internet based communication was made vulnerable to attackers. Sensitive info such as usernames, passwords, credit card info were all at risk. The HeartBeat attack was accomplished through exploiting a fault in OpenSSL’s implementation of TLS, where the security code failed to properly check the bounds of a request. This allowed malicious users to read more information than what would have otherwise been authorized to them. Aside from the severity and widespread nature of the HeatBleed attack, another notable feature was its anonymous nature. There is no way to know for certain what systems, if any, were affected by attackers exploiting it. The HeartBleed attack is said to have affected a massive portion of active websites.From a web developer's perspective, the HeartBleed attack required immediate attention. Applications that required user login had to treat all user credentials as potentially compromised to a malicious actor. Simultaneously, all services had to respond in the same way by rotating digital certificates and encryption keys in order to restore secure communication. TLS is a foundational protocol for secure internet communication, and OpenSSL is a popular open source implementation of it. Missing bounds checks within OpenSSL's TLS implementation made the HeartBleed attack possible. Within the TLS protocol, there is a step where two computers communicating over a secure channel transfer a small packet of information to check the presence of the secure communication channel. Missing bounds checking of the packet size caused the server to send more information than what was required for a simple check of the channel’s availability.