** Section one — HeartBleed:**

To begin, what was heartbleed? Heartbleed was a bug that originated from a vulnerability located in OpenSSL’s cryptographic software library. This bug essentially allowed individuals to steal the keys used to access the secure ssl/tls encrypted data other individuals were sending over the network. Some of the data taken included Secret Keys, Names and passwords of users, and confidential communications information sent through the Web, Email or IM (Heartbleed.com). In total more than 500,000 secure web servers data was affected by this bug. One final thing to note is that heartbleed is the bug name however the software that allowed the bug to exist is known as “The Heartbeat Extension”

What was the purpose and function of “The Heartbeat Extension”?

The main purpose of the heartbeat extension was to keep alive secure communication links as to make it so that renegotiation didn’t have to occur each time the servers needed to communicate with one another. It did this by sending small packets intermittently (referred to as heartbeats) to ensure the connection had not been lost The main reason why this virus was as expansive as it was is because Heartbeat was enabled on OpenSSL by default. (Wikipedia)

What was the behavior of the heartbeat extension like? How was the vulnerability discovered?

The heartbeat extension would send heartbeats to the other server in order to confirm the connection was working. The vulnerability was discovered by two separate groups. The first group, or more specifically Neel Mehta’s group, found it during a line-by-line audit of the OpenSSL code. He did this due to the fact other vulnerabilities had been discovered and as such other issues may be lurking within the system. The second group to find it was a Finnish cybersecurity firm known as Codenomicon. They found the bug while modifying a product they owned called Safeguard. Safeguard is a tool meant for penetration testing and as such when they tested their software on their server they realized just how much data could be taken. This led them to finding the vulnerability and publicizing it. (csoonline.com)

How could the vulnerability be exploited and what would the impact be?

The line of code that gave way for the heartbleed code vulnerability was “memcpy(bp, pl, payload)” This command essentially says Copy item at location “pl” to location “bp” where the length of the data is equal to the payload. Given that the amount of data at pl was never checked to be equal to the value of payload, it allowed for individuals to come in and access data they shouldn’t have been able to access. This means that if the hacker were to gain access to the packet sent they would then have access to parts of the memory that should have remained private. This includes but is not limited to PII ‘personal identification information’, Key information, and more (Csoonline.com). In the end this was such a bad vulnerability that led to 17% of the world's secure web servers to be compromised.

Section Two — Extended Validation Cerificate:

In a few sentences, define an EV Cert and how is it different that a standard (aka Domain Validation) certificate

An EV Certificate is one that conforms to x.509 and is focused on more so who is lessing the certificate. Given that the certificates can only be issued by a subset of Certificate authorities meaning only a few CAs can give them out making them more secure.

The main difference between Domain validation and Extended validation is simply the DV only requires a response from somewhere rather than a specified Vendor.

What are the criteria for issuing/acquiring an EV Certificate

EV certifications require the validation of an organization's registration number, jurisdiction, operational existence, domain fraud check and blocklist checks.

As a user how do you know that a site is using a different EV Cert? (different browsers may have their own methods of indication)

The main way to tell if a site uses a EV cert is if the company name is displayed with the url with either a green background or green text. If you go into the certificates general details you should also see that the identity of the organization is shown.

“The Heartbleed Bug.” Heartbleed Bug, heartbleed.com/. Accessed 15 Feb. 2024.  
“The Heartbleed Bug: How a Flaw in Openssl Caused a Security Crisis.” CSO Online, 6 Sept. 2022, www.csoonline.com/article/562859/the-heartbleed-bug-how-a-flaw-in-openssl-caused-a-security-crisis.html#:~:text=Heartbleed%20was%20actually%20discovered%20by,attacks%20against%20servers%20running%20OpenSSL.  
“Heartbleed.” Wikipedia, Wikimedia Foundation, 9 Feb. 2024, en.wikipedia.org/wiki/Heartbleed.