The Heartbleed SSL Bug

Just days ago one of the largest Internet security flaws in recent history was discovered: the Heartbleed bug.

While you’ve probably heard on the news about this bug, this cartoon is probably the simplest explanation yet.

The Heartbleed bug tricks a server into spilling out extra information from its memory. A server’s memory often includes sensitive personal information, such as your passwords, credit card numbers, and other data you wouldn’t want anyone else to see.

This information is usually encrypted, which means its translated to an indecipherable code when it’s transferred between servers, but Heartbleed can decode this encryption and store the codes used to protect your data. That’s because Heartbleed takes advantage of a vulnerability in OpenSSL, a popular encryption standard used to power a giant chunk of the Web.

Popular web comic XKCD has broken down how Heartbleed works through this cartoon.

Heartbleed attacks a vulnerability in OpenSSL called Heartbeat, which is a means of calling out to a server to make sure the connection is secure. The Heartbeat message usually contains arbitrary data and a length field denoting how many bytes of data are in the message. The server would then spit that exact message back to the original sender to prove that the connection is secure. The Heartbleed bug involves an issue with the server reading the length field incorrectly, which in turns tricks your server into spitting out more data than it should without realizing it.

Most websites have now patched the offending version of OpenSSL which contained the bug. Although not required, it is recommended to change your passwords.

In cartoon form, it looks like this:

Are you still there, server? It's me, Margaret