Heartbleed was a flaw in OpenSSL, the open-source library that secures a large share of the web’s HTTPS traffic. The disclosure site, heartbleed.com, describes it as a bug in “the popular OpenSSL cryptographic software library” that “allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.” The official identifier is CVE-2014-0160.
The technical cause was a missing bounds check in OpenSSL’s implementation of the TLS heartbeat extension. The NVD record states that the affected versions “do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read.” An attacker could request more data than they supplied and receive up to roughly 64 kilobytes of whatever happened to be in the server’s memory - and repeat the request indefinitely.
What made it serious was the breadth of what could leak. The disclosure site warns that the exposed memory could include “the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.” Because private keys themselves could be stolen, affected operators had to patch, then revoke and reissue certificates and ask users to change passwords.
The flaw became public on April 7, 2014, alongside the fixed OpenSSL 1.0.1g release. Beyond the immediate scramble, Heartbleed drew lasting attention to a structural problem: a tiny, under-resourced team maintained a library that secured much of the Internet. It helped spur new investment in the open-source infrastructure that everyone depends on but few were funding.