Académique Documents
Professionnel Documents
Culture Documents
Proposal
I
hereby
write
this
proposal
with
intent
of
explaining
the
class
of
probably
the
most
destructive
vulnerability
on
the
Internet
ever-
the
Heartbleed
Bug.
This
bug
has
struck
more
than
2/3
of
the
whole
Internet
and
was
actually
easy
to
the
non
techie
person
to
execute.
The
beauty
of
this
bug
is
that
it
provides
all
the
data
stored
on
a
specific
computer(server)
which
involves
bank
account
numbers,
usernames,
passwords
and
everything
on
the
internet
which
uses
SSL/TLS
was
vulnerable
to
it.
So
every
information
online
including
classified
documents
were
at
the
risk
of
exploitation.
Reports
also
suggest
that
the
NSA
had
information
of
the
bug
more
than
2
years
ago
and
were
using
it
to
extract
the
classified
information
of
the
diplomats
and
other
security
agency
for
their
intelligence
purpose.
We
plan
to
present
the
topic
in
modules,
which
provides
the
class
a
better
view
and
knowledge
to
understand
this
specific
vulnerability.
Our
presentation
would
include
the
following
stages:
1.
Introduction
to
HTTP
and
why
SSL/TLS
is
required
for
communication
over
HTTP:
Internet
is
a
vast
entity
in
its
own,
and
a
lot
of
sensitive
and
personal
data
is
shared
over
the
Internet,
which
could
be
used
to
impersonate
or
exploit
specific
person
or
organization.
We
include
a
brief
introduction
on
how
HTTP
works
and
types
of
attacks
are
involved
to
steal
the
data,
hence
the
introduction
of
SSL/TLS.
Basic
information
to
familiarize
the
class
over
HTTP
and
SSL/TLS
which
would
help
them
understand
the
vulnerability
well
and
follow
us
on
our
terms,
which
we
will
be
using
in
the
more
advance
stages
of
our
presentation
2.OpenSSL
Heartbeat
Extension
introduction
and
Discovery
of
Heartbleed.
What
exactly
is
Bleed?
Almost
the
whole
Internet
uses
OpenSSL
for
encryption
and
there
is
a
sure
chance
of
every
one
of
us
to
have
transacted
with
OpenSSL
on
the
internet
even
if
dont
know
them.
OpenSSL
uses
heartbeat
extension
to
validate
a
session
on
the
internet
periodically
over
the
communication
where
the
source
host
or
destination
host
send
a
heartbeat
to
verify
if
the
other
party
is
still
available
to
continue
the
connection.
This
involves
a
request
along
with
a
small
amount
of
data
request
to
verify
if
the
communication
is
alive.
The
Heartbeat
did
not
have
any
limitation
of
the
amount
of
data
request
that
can
be
requested
by
the
party
which
led
to
the
vulnerability
of
Heartbleed.
A
party
requesting
a
heartbeat
would
request
unusually
high
bytes
of
data
from
the
recipient,
who
will
send
the
data
back
to
the
source
as
requested.
If
the
string
is
small,
it
sends
the
appropriate
data
but
if
the
requested
string
is
unusually
high,
the
recipient
sends
the
data
from
its
storage
to
respond
to
the
partys
request,
which
includes
sensitive
data
on
the
systems
storage
(also
called
as
a
memory
dump).
This
specifically
is
the
summary
of
the
Heartbeat
and
the
Heartbleed
Vulnerability.