The matter of heartbleed

Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Volumn , Issue , 2014, Pages 475-488

  Durumeric, Zakir ^a   Kasten, James ^a   Adrian, David ^a   Halderman, J Alex ^a   Bailey, Michael ^a,b   Li, Frank ^c   Weaver, Nicholas ^c,d   Amann, Johanna ^d   Beekman, Jethro ^c   Payer, Mathias ^c,e   Paxson, Vern ^c,d  

^a UNIVERSITY OF MICHIGAN   (United States)

^b UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN   (United States)

^c UNIVERSITY OF CALIFORNIA   (United States)

^d INTERNATIONAL COMPUTER SCIENCE INSTITUTE   (United States)

^e PURDUE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

MEASUREMENT;

COMMERCIAL INTERNET; MEASUREMENT-BASED; TECHNICAL COMMUNITY;

HTTP;

EID: 84910125196     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2663716.2663755     Document Type: Conference Paper

References (74)

1. Alexa Top 1, 000, 000 Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.
2. itcoin Core Version History. https://bitcoin.org/en/version-history.
3. Installing OpenDKIM. http://www.opendkim.org/INSTALL.
4. Telnet Server with SSL Encryption Support. https://packages.debian.org/stable/net/telnetd-ssl.
5. Install Ejabberd, Oct. 2004. http://www.ejabberd.im/tuto-install-ejabberd.
6. Cassandra Wiki - Internode Encryption, Nov. 2013. http://wiki.apache.org/cassandra/InternodeEncryption.
7. Android Platform Versions, Apr. 2014. https://developer.android.com/about/dashboards/index.html#Platform.
8. Apple Says iOS, OSX and "Key Web Services" Not Affected by Heartbleed Security Flaw, Apr. 2014. http://recode.net/2014/04/10/apple-says-ios-osx-and-keyweb-services-not-affected-by-heartbleed-security-flaw/.
9. Heartbleed F.A.Q., 2014. https://www.startssl.com/?app=43.
10. The Heartbleed Hit List: The Passwords You Need to Change Right Now, Apr. 2014. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/.
11. HP Support Document c04249852, May 2014. http://goo.gl/AcUG8I.
12. Is Openfire Affected by Heartbleed?, Apr. 2014. https://community.igniterealtime.org/thread/52272.
13. June 2014 Web Server Survey, 2014. http://news.netcraft.com/archives/2014/06/06/june-2014-web-server-survey.html.
14. NGINX and the Heartbleed Vulnerability, Apr. 2014. http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/.
15. Official BTCJam Update, Apr. 2014. http://blog.btcjam.com/post/82158642922/official-btcjam-update.
16. SSL Pulse, Apr. 2014. https://www.trustworthyinternet.org/ssl-pulse/.
17. Tomcat Heartbleed, Apr. 2014. https://wiki.apache.org/tomcat/Security/Heartbleed.
18. Wikimedia's Response to the "Heartbleed" Security Vulnerability, Apr. 2014. https://blog.wikimedia.org/2014/04/10/wikimedias-responseto-the-heartbleed-security-vulnerability/.
19. Adobe. Heartbleed Update, Apr. 2014. http://blogs.adobe.com/psirt/?p=1085.
20. M. Al-Bassam. Top Alexa 10, 000 Heartbleed Scan-April 14, 2014. https://github.com/musalbas/heartbleed-masstest/blob/94cd9b6426311f0d20539e696496ed3d7bdd2a94/top1000.txt.
21. Alienth. We Recommend that You Change Your Reddit Password, Apr. 2014. http://www.reddit.com/r/announcements/comments/231hl7/we-recommend-that-you-change-your-reddit-password/.
22. B. Amann, M. Vallentin, S. Hall, and R. Sommer. Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. Technical Report TR-12-014, ICSI, Nov. 2012.
23. AWeber Communications. Heartbleed: We're Not Affected. Here's What You Can Do To Protect Yourself, Apr. 2014. http://blog.aweber.com/articles-tips/heartbleed-how-to-protect-yourself.htm.
24. Bitcoin. OpenSSL Heartbleed Vulnerability, Apr. 2014. https://bitcoin.org/en/alert/2014-04-11-heartbleed.
25. Bro Network Security Monitor Web Sitehttp://www.bro.org.
26. N. Craver. Is Stack Exchange Safe from Heartbleed?, Apr. 2014. http://meta.stackexchange.com/questions/228758/is-stack-exchange-safe-from-heartbleed.
27. R. Dingledine. Tor OpenSSL Bug CVE-2014-0160, Apr. 2014. https://blog.torproject.org/blog/openssl-bug-cve-2014-0160.
28. Dropbox Support. https://twitter.com/dropbox-support/status/453673783480832000, Apr. 2014. Quick Update on Heartbleed: We've Patched All of Our User-Facing Services & Will Continue to Work to Make Sure Your Stuff is Always Safe.
29. Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS Certificate Ecosystem. In Proc. ACM Internet Measurement Conference, Oct. 2013.
30. Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-Wide Scanning and its Security Applications. In Proc. USENIX Security Symposium, Aug. 2013.
31. A. Ellis. Akamai heartbleed Update (V3), Apr. 2014. https://blogs.akamai.com/2014/04/heartbleed-update-v3.html.
32. A. S. Foundation. CouchDB and the Heartbleed SSL/TLS Vulnerability, Apr. 2014. https://blogs.apache.org/couchdb/entry/couchdb-and-the-heartbleed-ssl.
33. GoDaddy. OpenSSL Heartbleed: We've Patched Our Servers, Apr. 2014. http://support.godaddy.com/godaddy/openssl-and-heartbleed-vulnerabilities/.
34. L. Grangeia. Heartbleed, Cupid and Wireless, May 2014. http://www.sysvalue.com/en/heartbleed-cupid-wireless/.
35. S. Grant. The Bleeding Hearts Club: Heartbleed Recovery for System Administrators, Apr. 2014. https://www.eff.org/deeplinks/2014/04/bleeding-hearts-clubheartbleed-recovery-system-administrators.
36. B. Grubb. Heartbleed Disclosure Timeline: Who Knew What and When. Apr. 2014. http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-whatand-when-20140415-zqurk.html.
37. L. Haisley. OpenSSL Crash with STARTTLS in Courier, May 2014. http://sourceforge.net/p/courier/mailman/message/32298514/.
38. IBM. OpenSSL Heartbleed (CVE-2014-0160), May 2014. https://www-304.ibm.com/connections/blogs/PSIRT/entry/openssl-heartbleed-cve-2014-0160.
39. Infusionsoft. What You Need to Know About Heartbleed, Apr. 2014. http://blog.infusionsoft.com/company-news/need-know-heartbleed/.
40. Internal Revenue Service. IRS Statement on "Heartbleed" and Filing Season, Apr. 2014. http://www.irs.gov/uac/Newsroom/IRS-Statement-on-Heartbleed-and-Filing-Season.
41. W. Kamishlian and R. Norris. Installing OpenSSL for Jabberd 2. http://www.jabberdoc.org/app-openssl.html.
42. Litespeed Technologies. LSWS 4.2.9 Patches Heartbleed Bug, Apr. 2014. http://www.litespeedtech.com/support/forum/threads/lsws-4-2-9-patches-heartbleed-bug.8504/.
43. S. Marquess. Of Money, Responsibility, and Pride, Apr. 2014. http://veridicalsystems.com/blog/of-money-responsibility-and-pride/.
44. M. Masnick. Shameful Security: StartCom Charges People To Revoke SSL Certs Vulnerable to Heartbleed, Apr. 2014. http://www.techdirt.com/articles/20140409/11442426859/shameful-security-startcom-charges-people-to-revoke-sslcerts-vulnerable-to-heartbleed.shtml.
45. N. Mehta and Codenomicon. The Heartbleed Bug. http://heartbleed.com/.
46. Microsoft. Microsoft Services unaffected by OpenSSL Heartbleed vulnerability, Apr. 2014. http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-andservices-and-the-openssl-heartbleed-vulnerability.aspx.
47. MongoDB. MongoDB Response on Heartbleed OpenSSL Vulnerability, Apr. 2014. http://www.mongodb.com/blog/post/mongodb-response-heartbleed-openssl-vulnerability.
48. K. Murchison. Heartbleed Warning - Cyrus Admin Passowrd Leak!, Apr. 2014. http://lists.andrew.cmu.edu/pipermail/info-cyrus/2014-April/037351.html.
49. E. Ng. Tunnel Fails after OpenSSL Patch, Apr. 2014. https://lists.openswan.org/pipermail/users/2014-April/022934.html.
50. M. O'Connor. Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed Bug), Apr. 2014. http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html.
51. P. Ondruska. Does OpenSSL CVE-2014-0160 Effect Jetty Users?, Apr. 2014. http://dev.eclipse.org/mhonarc/lists/jetty-users/msg04624.html.
52. OpenSSL Project Team. OpenSSL Security Advisory, Apr. 2014. http://www.mail-archive.com/openssl-users@openssl.org/msg73408.html.
53. OpenSSL Project Team. OpenSSL Version 1.0.1g Released, Apr. 2014. http://www.mail-archive.com/openssl-users@openssl.org/msg73407.html.
54. OpenVPN. OpenSSL Vulnerability-Heartbleed. https://community.openvpn.net/openvpn/wiki/heartbleed.
55. Oracle. OpenSSL Security Bug-Heartbleed/CVE-2014-0160, Apr. 2014. http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html.
56. L. Padron. Important Read - Critical Security Advisory And Patch for OpenSSL Heartbleed Vulnerability, Apr. 2014. http://blog.zimbra.com/blog/archives/2014/04/important-read-critical-security-advisory-patch-opensslheartbleed-vulnerability.html.
57. V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23-24):2435-2463, 1999.
58. PayPal. OpenSSL Heartbleed Bug-PayPal Account Holders are Secure, Apr. 2014. https://www.paypal-community.com/t5/PayPal-Forward/OpenSSL-Heartbleed-Bug-PayPal-Account-Holders-are-Secure/ba-p/797568.
59. W. Pinckaers. http://lekkertech.net/akamai.txt.
60. M. Prince. The Hidden Costs of Heartbleed, Apr. 2014. http://blog.cloudflare.com/the-hard-costs-of-heartbleed.
61. Publishers Clearing House. Stay Smart About The "Heartbleed" Bug With PCH!, Apr. 2014. http://blog.pch.com/blog/2014/04/16/stay-smart-about-the-heartbleed-bug-with-pch/.
62. Rackspace. Protect Your Systems From "Heartbleed" OpenSSL Vulnerability, Apr. 2014. http://www.rackspace.com/blog/protect-your-systems-fromheartbleed-openssl-vulnerability/.
63. Red Hat. How to Recover from the Heartbleed OpenSSL vulnerability, Apr. 2014. https://access.redhat.com/articles/786463.
64. T. Saunders. ProFTPD and the OpenSSL "Heartbleed" Bug, May 2014. http://comments.gmane.org/gmane.network.proftpd.user/9465.
65. B. Say. Bleedingheart Bug in OpenSSL, Apr. 2014. http://www.stunnel.org/pipermail/stunnel-users/2014-April/004578.html.
66. R. Seggelmann, M. Tuexen, and M. Williams. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension. IETF Request for Comments (RFC) 6520, February 2012. https://tools.ietf.org/html/rfc6520.
67. N. Sullivan. The Results of the CloudFlare Challenge. Apr. 2014. http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge.
68. Tumblr. Urgent Security Update, Apr. 2014. http://staff.tumblr.com/post/82113034874/urgent-security-update.
69. United States Postal Service. Avoiding Heartbleed, May 2014. https://ribbs.usps.gov/importantupdates/HeartbleedArticle.pdf.
70. M. Wimmer. Removed Support for OpenSSL, 2007. https://jabberd.org/hg/amessagingd/rev/bcb8eb80cbb9.
71. WordPress. Heartbleed Security Update, Apr. 2014. http://en.blog.wordpress.com/2014/04/15/security-update/.
72. S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. When Private Keys Are Public: Results from the 2008 Debian OpenSSL Vulnerability. In Proc. ACM Internet Measurement Conference, Nov. 2009.
73. ZDNet. Heartbleed Bug Affects Yahoo, OKCupid Sites, Apr. 2014. http://www.zdnet.com/heartbleed-bug-affects-yahooimgur-okcupid-convo-7000028213/.
74. ZEDOinc. https://twitter.com/ZEDOinc/status/456145140503957504, Apr. 2014. Customers and partners: none of the ZEDO sites or assets are affected by Heartbleed.