TLS heartbeat extension (later deprecated)
E698189
The TLS heartbeat extension was a Transport Layer Security protocol feature designed to keep secure connections alive and test reachability, later becoming widely known for the critical Heartbleed vulnerability that led to its deprecation.
Observed surface forms (1)
| Surface form | Occurrences |
|---|---|
| TLS heartbeat extension | 0 |
Statements (47)
| Predicate | Object |
|---|---|
| instanceOf |
TLS protocol extension
ⓘ
network protocol feature ⓘ |
| abbreviation | TLS heartbeat ⓘ |
| appliesTo |
client
ⓘ
server ⓘ |
| associatedCVE | CVE-2014-0160 ⓘ |
| associatedVulnerability | Heartbleed NERFINISHED ⓘ |
| consequence | widespread security incident in 2014 ⓘ |
| definedIn | RFC 6520 NERFINISHED ⓘ |
| designGoal |
avoid TCP-level keep-alives for TLS
ⓘ
lightweight keep-alive mechanism ⓘ |
| effectOfDeprecation | rarely enabled on modern secure deployments ⓘ |
| hasField |
padding
ⓘ
payload ⓘ payload length ⓘ |
| hasPurpose |
keep TLS connections alive
ⓘ
reduce need for renegotiation of TLS sessions ⓘ test peer reachability ⓘ |
| introducedFor |
DTLS 1.0
NERFINISHED
ⓘ
DTLS 1.2 NERFINISHED ⓘ TLS 1.0 NERFINISHED ⓘ TLS 1.1 NERFINISHED ⓘ TLS 1.2 NERFINISHED ⓘ |
| layer | transport layer ⓘ |
| ledTo |
changes in operational security practices
ⓘ
increased scrutiny of TLS implementations ⓘ revocation and reissuance of many TLS certificates ⓘ |
| messageDirection | bidirectional ⓘ |
| messageType |
HeartbeatRequest
ⓘ
HeartbeatResponse ⓘ |
| negotiatedVia | TLS extension mechanism ⓘ |
| notableImplementation | OpenSSL NERFINISHED ⓘ |
| notableImplementationBug | OpenSSL Heartbleed bug NERFINISHED ⓘ |
| partOf | Transport Layer Security NERFINISHED ⓘ |
| protocolFamily |
DTLS
NERFINISHED
ⓘ
TLS NERFINISHED ⓘ |
| requires | support from both peers ⓘ |
| securityRecommendation |
disable heartbeat extension on servers
ⓘ
upgrade vulnerable TLS libraries ⓘ |
| standardizedBy |
Internet Engineering Task Force
ⓘ
surface form:
IETF
|
| status | deprecated in practice ⓘ |
| usesMechanism | periodic heartbeat request and response messages ⓘ |
| vulnerabilityCause | insufficient bounds checking in some implementations ⓘ |
| vulnerabilityImpact |
exposure of user credentials
ⓘ
information disclosure ⓘ leakage of process memory ⓘ potential exposure of private keys ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.