How it works...
Heartbleed is a buffer over-read vulnerability in the OpenSSL TLS implementation; this means that more data can be read from memory than should be allowed. By exploiting this vulnerability, an attacker can read information from the OpenSSL server memory in clear text, which means that we don't need to decrypt or even intercept any communication between the client and the server. The exploitation works by abusing the heartbeat messages exchanged by server and client; these are short messages sent by the client and answered by the server to keep the session active. In a vulnerable implementation, a client can claim to send a message of size X, while sending a smaller amount (Y) of bytes. The server will then respond with X
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access