In April 2014, a vulnerability in OpenSSL was disclosed that allowed any attacker to read 64 kilobytes of server memory at a time, repeatedly, without leaving a trace. The affected code was a missing bounds check in the heartbeat extension, added in 2011 by a PhD student who later said he simply forgot it. OpenSSL underpinned HTTPS on roughly two thirds of the internet. The vulnerability had been silently present for two years. The resulting scramble — patch, revoke certificates, reissue, rotate private keys across millions of servers — was the internet’s largest coordinated emergency response to a single bug. The episode also prompted serious reflection on the fact that critical global infrastructure was being maintained by a handful of volunteers on negligible funding. The OpenSSL project received substantial donations in the aftermath. The bounds check was added.
