The matter of heartbleed

Zakir Durumeric, James Kasten, David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer, Vern Paxson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The Heartbleed vulnerability took the Internet by surprise in April 2014. The vulnerability, one of the most consequential since the advent of the commercial Internet, allowed attackers to remotely read protected memory from an estimated 24-55% of popular HTTPS sites. In this work, we perform a comprehensive, measurementbased analysis of the vulnerability's impact, including (1) tracking the vulnerable population, (2) monitoring patching behavior over time, (3) assessing the impact on the HTTPS certificate ecosystem, and (4) exposing real attacks that attempted to exploit the bug. Furthermore, we conduct a large-scale vulnerability notification experiment involving 150,000 hosts and observe a nearly 50% increase in patching by notified hosts. Drawing upon these analyses, we discuss what went well and what went poorly, in an effort to understand how the technical community can respond more effectively to such events in the future.

Original languageEnglish (US)
Title of host publicationIMC 2014 - Proceedings of the 2014 ACM
PublisherAssociation for Computing Machinery
Pages475-488
Number of pages14
ISBN (Electronic)9781450332132
DOIs
StatePublished - Nov 5 2014
Event2014 ACM Internet Measurement Conference, IMC 2014 - Vancouver, Canada
Duration: Nov 5 2014Nov 7 2014

Publication series

NameProceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Other

Other2014 ACM Internet Measurement Conference, IMC 2014
CountryCanada
CityVancouver
Period11/5/1411/7/14

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'The matter of heartbleed'. Together they form a unique fingerprint.

Cite this