HeartBleed Bug in OpenSSL

Rather strange sounding bug was around us and we were unaware of it and that is called Heartbleed bug. Heartbleed bug allows anyone to read the memory of the protected system using OpenSSL. A fix has come but it took time to discover this bug. The bug was out from December, 2011 to April, 2014. It depends on when OpenSSL customer updated their software. It could be around two years if vendors updated the vulnerable OpenSSL but could not fix the bug when newer version. The bug was unknown to us so no one bothered for this.

The bug was introduced in OpenSSL version 1.0.1. OpenSSL is an implementation of SSL/TSL and SSL/TSL is not a vulnerable technologies. The bug is in just a version.

Why is it called Heartbleed bug?

OpenSSL implemented SSL/TSL extension called HeartBeat (RFC6520). and because anything from client to server and server to client can be taken without anyone's suspect, it is named heartbleed.

Very good documentation about Heatbleed bug here.