Heartbleed bug - A simple explanation

Over the past few days you may have heard, or read, about the so called 'Heartbleed bug' which has punched a massive whole in the heart of the internet and left around two-thirds of the world's websites open to attack by hackers. But like most of my friends, I doubt many people outside of the tech bubble really a) care or b) have even the slightest idea of what, or indeed how serious, this is.

So, what is it?

On April 7th 2014 researchers from a security company, Codenomicon and Neel Mehta from Google Security discovered a vulnerability in something called OpenSSL. OpenSSL is an open-source piece of software which allows a website to provide information to it's visitors (you) that is encrypted - meaning people can't read what is being sent to you once it leaves the sites servers until it hits your device.

The bug (a mistake introduced by a developer) that you may have heard about, the Heartbleed bug, was introduced back in April 2012 and is named after the bit of functionally that it impacts; The heartbeat, or HeartbeatMessage

When you connect to a secure website you normally connect with something called 'SSL/TLS' - which is marked by a closed padlock and the words 'https' in your browser. Some of these services use OpenSSL as the method of SSL/TLS. Your device and the website you are connected to will 'talk' to each other by sending bits of data to show that the connection is still active and secure; the heartbeat. The website will respond with the same amount of data as your device has sent. The heartbeat has three parts;

1) A request for acknowledgement
2) A random message
3) The number of characters in that message

For example;

Are you still there, if so say "hello" (5 characters)

The website will then respond saying


It matches the same amount of characters as requested.

Now this response is stored briefly in the memory of the server that the website you are trying to access is on, so lets say that just before your device has done that check another user somewhere else in the world has just logged on;

I want to log in with username:me@test.com password: badpassword

The server will respond with something like

username:me@test.com logged in

but, on the actual sever in the memory "I want to log in with username:me@test.com password: badpassword " is stored. This data stored could be anything from your email address to your credit card details from that book you just purchased. The vulnerability that exists allows someone to talk to the server and say;

Are you still there, if so say "hello" (500 characters)

The server will then respond with


In this case, the extra characters that are sent will be the last information in the memory, or in our example above;

Are you still there, if so say "hello" (500 characters)

The server will then respond with

hello I want to log in with username:me@test.com password: badpassword username:me@test.com logged in

The hacker now has someone’s credentials. In real life scenarios a hacker could request around 64,000 characters each time, and this could happen over and over and over again - getting lots of information from the server.

This, in very simple terms, is the heartbleed bug.

How did it happen?

OpenSSL is an open-source piece of software, meaning that it is written and updated by anyone with an interest and the knowledge, a developer pushed a change in OpenSSL back on 12th April 2012. The exact bit of code can be seen here;

/* Read type and payload length first */
hbtype = *p++;  
n2s(p, payload);  
pl = p;  

Basically, there is no check on the servers end that the data it is sending back is the same length as the request.

The Fix

OpenSSL has already had an update to resolve this, which is basically to check that the data it sends back in the heartbeat is the same length that was requested.

The fix;

hbtype = *p++;  
n2s(p, payload);  
if (1 + 2 + payload + 16 > s->s3->rrec.length)  
    return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;  

This added a check to ensure that the response matched the length of the requested.

What should I do?

Well the first thing you should do is check that the websites you use have fixed this bug - There is no point in changing your password if they haven't.

If they have, then you should change your password to something new as soon as possible.

Then, to ensure you are safe in the future, you should always change your password often and if possible use something called 'Two-factor authentication'; Google and Facebook both offer these services.

Update; xkcd did a nice comic of the issue;


Show Comments