© Copyright 2014 Critical Watch
By Jesper "JJ" Jurcenoks, April 8, 2014
Last Updated April 14, 2014
Heartbleed is just one of the 60,000 vulnerabilities in our testing library
Get Critical Watch Automated Vulnerability Assessment today
Standards & IDs
OWASP OWASP 2004 Top 10 A5
WASC-07 Buffer overflow
CWE-126 Buffer Over-read
CWE-20 Improper input validation
Subscribe to our useful learning series of articles and receive more articles like this.
Present this information to your team using our FREE! presentation on Heartbleed
Why spend time turning this article into a presentation when we have done the work for you?
Click here to download the presentation (registration required) - In progress
In Progress: powerpoint version of this article
Video Explaining Heartbleed
Check this list of Major Internet Sites and see their Heaertbleed status.
According to Cynthia Rose16 your company could be on the hook for legally required breach notifications going 2 years back, since either:
Brilliant Heartbleed Explanation by xkcd
In this example Yahoo.com changed its certifcate after remdiating the Heartbleed bug and it is now safe to login - if you logged into yahoo between Monday April 7 afternoon (us time) and Tuesday April 8 (Afternoon), then you need to change your password.
Question: My favorite web-site is not vulnerable now and they didn't change their Certificate - how can I tell if they were vulnerable in the past to Heartbleed?
Answer: Unless someone posted the answer to that question online then you will have to ask their support.
Question: Why only worry about sites I have used since April 7, 2014 - when the Heartbleed bug has existed since March 14, 2012?
Answer: Mass exploitation of the bug did not start until April 7, indications of exploitations before that date are very rare13